Advisory Published
Updated

GHSA-jwvj-pwww-3mj5

First published: Wed May 15 2024(Updated: )

This is a follow-up to the security advisory https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

Affected SoftwareAffected VersionHow to fix
composer/laravel/framework>=8.0.0<8.24.0
8.24.0
composer/laravel/framework>=7.0.0<7.30.4
7.30.4
composer/laravel/framework>=6.0.0<6.20.14
6.20.14

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of GHSA-jwvj-pwww-3mj5?

    The severity of GHSA-jwvj-pwww-3mj5 is classified as high due to potential data validation issues.

  • How do I fix GHSA-jwvj-pwww-3mj5?

    To fix GHSA-jwvj-pwww-3mj5, upgrade Laravel framework to versions 8.24.0, 7.30.4, or 6.20.14 as applicable.

  • What types of Laravel framework versions are affected by GHSA-jwvj-pwww-3mj5?

    GHSA-jwvj-pwww-3mj5 affects Laravel framework versions between 6.0.0 and 6.20.14, 7.0.0 and 7.30.4, and 8.0.0 and 8.24.0.

  • What is the main issue addressed in GHSA-jwvj-pwww-3mj5?

    GHSA-jwvj-pwww-3mj5 addresses issues with inputs being incorrectly handled when a non-array field is treated as an array.

  • Is manual intervention required after fixing GHSA-jwvj-pwww-3mj5?

    Yes, after upgrading to the recommended versions for GHSA-jwvj-pwww-3mj5, manual verification of input validation may be necessary.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203