A serious security issue has been discovered that allows leaked Laravel APP_KEYs to be weaponized, giving attackers remote code execution capabilities on hundreds of applications. GitGuardian, a cybersecurity researcher, found over 260,000 APP_KEYs from GitHub between 2018 and May 30, 2025, identifying over 600 vulnerable Laravel apps in the process.
The issue lies in Laravel’s current implementation of the `decrypt()` function, which automatically deserializes decrypted data, opening the door for possible remote code execution. If an attacker obtains the APP_KEY and invokes the `decrypt()` function with a maliciously crafted payload, they can achieve remote code execution on the Laravel web server.
This vulnerability was first documented in 2018 and has been exploited by threat actors associated with the AndroxGh0st malware. The attack vector persists in newer Laravel versions when developers explicitly configure session serialization in cookies using the `SESSION_DRIVER=cookie` setting.
Exposing APP_KEYs from .env files can also lead to the exposure of other valuable secrets, such as cloud storage tokens and database credentials. Approximately 10% of 28,000 exposed APP_URL and APP_KEY pairs have been found to be valid, rendering 120 applications vulnerable to trivial remote code execution attacks.
To mitigate this issue, developers need a clear rotation path, backed by monitoring that flags every future reappearance of sensitive strings across CI logs, image builds, and container layers. Simply deleting exposed APP_KEYs from repositories without proper rotation is not enough; instead, the compromised key should be immediately rotated, updated production systems with the new key, and continuous secret monitoring should be implemented to prevent future exposures.
This vulnerability highlights a broader class of PHP deserialization vulnerabilities, where tools like phpggc help attackers craft gadget chains that trigger unintended behaviors during object loading. GitGuardian’s discovery also sheds light on other types of unguarded secrets in public repositories, including Docker images and GitHub tokens.
Source: https://thehackernews.com/2025/07/over-600-laravel-apps-exposed-to-remote.html