Code Injection in laravel/framework


Reported on

Jun 12th 2021

✍️ Description

Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies.

🕵️‍♂️ Proof of Concept

use Illuminate\Validation\Rules\RequiredIf;


$gadget = serialize(new RequiredIf("phpinfo"));

echo unserialize($gadget); // exploitation

As soon as the object is casted to string, function phpinfo gets executed.

💥 Impact

This vulnerability is capable of calling callables and can be utilized in POP gadget chains when exploiting deserialization vulnerabilities.

0xcrypto modified the report
a year ago
0xcrypto submitted a
a year ago
Jamie Slome
a year ago


@taylorotwell, can you just confirm that this report is valid?

Jamie Slome validated this vulnerability a year ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 814d6b a year ago
0xcrypto has been awarded the fix bounty
4 months ago


@jamieslome is it possible to get CVE on this one?

Jamie Slome
4 months ago


@0xcrypto - we would first require the go-ahead from the maintainer before assigning a CVE here 👍

to join this conversation