Over 600 Laravel Apps Vulnerable to Remote Code Execution Attack
Cybersecurity experts have identified a significant vulnerability involving stolen Laravel APP_KEYs, which can be exploited to remotely control numerous applications. GitGuardian reported that these keys, crucial for data security, are frequently exposed on platforms like GitHub. If obtained by attackers, the APP_KEY can be used to execute arbitrary code on servers, compromising both data and systems.
From 2018 to May 2025, over 260,000 APP_KEYs were found on GitHub, with more than 600 Laravel applications identified as potential targets. The APP_KEY, a 32-byte key generated during Laravel installation, is stored in the .env file and is vital for encryption, secure token generation, and data integrity.
A flaw in Laravel's decryption process, which automatically converts decrypted data into code, allows for remote code execution (RCE) if the APP_KEY is compromised. This vulnerability, initially identified as CVE-2018-15133, persists in newer Laravel versions under specific configurations, such as using SESSION_DRIVER=cookie, as highlighted by CVE-2024-55556.
Real-world attacks have exploited this vulnerability, notably by hackers associated with the AndroxGh0st malware. Research indicates that 63% of APP_KEY leaks originate from .env files, which often contain other sensitive information like cloud tokens and database credentials. Approximately 28,000 APP_KEY and APP_URL pairs have been exposed, with 10% being valid, making 120 applications susceptible to RCE attacks.
GitGuardian advises against merely deleting exposed APP_KEYs from repositories. Instead, compromised keys should be immediately rotated, systems updated, and continuous monitoring implemented to prevent future leaks. This issue is part of a broader category of PHP deserialization vulnerabilities, where tools like phpggc can facilitate RCE in Laravel environments with leaked keys.
The announcement follows GitGuardian's discovery of 100,000 valid secrets in public Docker images, including AWS, Google Cloud, and GitHub tokens. A Binarly analysis of Docker images revealed numerous secrets, underscoring the widespread issue of unprotected secrets in various file types.
Additionally, the rapid adoption of Model Context Protocol (MCP) has introduced new attack vectors, with 5.2% of MCP servers leaking secrets on GitHub. This highlights the need for centralized secret scanning and secure management practices across different frameworks.
Organizations are encouraged to adopt AI, privacy-first design, and secure login methods to protect identities and maintain user trust.
Stay secure — stay Wavasec. 🔐
