Over 600 Laravel apps found to be vulnerable to remote code execution (RCE) attacks after APP_KEYs leaked on GitHub.

July 13, 2025No CommentsCybersecurity News

TL;DR

Cybersecurity researchers from GitGuardian and Synacktiv uncovered a major security issue affecting Laravel applications. It seems that over 600 Laravel apps were found to be vulnerable to remote code execution (RCE) attacks after their secret APP_KEY were leaked publicly, primarily on GitHub .

Why Is APP_KEY Important?

APP_KEY is a 32-byte encryption key generated during Laravel installation. It is used for encrypting sensitive data, signing tokens, and securing session cookies. The key is typically stored in the .env configuration file, which often contains other secrets as well .

How Did the Exposure Happen?

Researchers were able to extract over 260,000 APP_KEYs from GitHub repositories between 2018 and May 2025. At least 10,000 unique APP_KEYs were found, with 400+ validated as functional. More than 600 live applications were confirmed vulnerable, and about 120 remain at immediate risk of trivial RCE attacks .

The Exploit Mechanism

Laravel’s decrypt() function automatically deserializes decrypted data. If an attacker obtains the APP_KEY, they can decrypt sensitive data and session cookies, craft malicious serialized PHP objects, and trigger deserialization attacks, leading to arbitrary code execution on the server. Tools like phpggc and custom Laravel exploit scripts make this process straightforward for attackers.

Broader Impact

35% of exposures involved other secrets, such as database credentials, cloud storage tokens, and payment keys, compounding the risk . Many leaks also included the APP_URL, enabling attackers to directly target the affected application. Researchers also found that some developers failed to rotate compromised keys, only deleting them from repositories, leaving production systems exposed .

Example Vulnerability

CVE-2024-55555 (Invoice Ninja): Demonstrates RCE via APP_KEY compromise in real-world Laravel apps. The vulnerability affects Laravel versions from 5.1 through 11.34.2+.

Security Recommendations

Never commit .env files or secrets to public repositories.
Rotate any exposed APP_KEY immediately; simply deleting it from source control is not enough.
Use automated tools to monitor for secret exposures.
Regularly audit all credentials in configuration files and rotate them as part of incident response .

Laravel

Last updated on July 13, 2025

Comments

No comments yet. Why don’t you start the discussion?

Leave a ReplyCancel reply

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC