Security researchers have found that leaked Laravel APP_KEYs can open the door to remote code execution in production environments. These 32-byte encryption keys, meant to stay private, are turning up across GitHub, often in .env files that also contain other sensitive info like database passwords, cloud access tokens, and API keys.
The vulnerability is tied to Laravel’s decrypt() function. If an attacker holds a valid APP_KEY, they can pass a crafted ciphertext that triggers unsafe deserialization. The result is remote code execution. Originally documented under CVE-2018-15133 (Laravel <5.6.30), the similar risks remain in newer versions, specifically when SESSION_DRIVER=cookie is configured. This is documented under CVE-2024-55556.
GitGuardian and Synacktiv analyzed GitHub data going back to 2018 and extracted more than 260,000 Laravel keys. Around 400 were still valid, and they confirmed that at least 600 real-world Laravel applications could be exploited. Tools like phpggc make it easier for attackers to assemble gadget chains that abuse Laravel’s unserialize() process.
Notably, nearly 28,000 APP_KEY and APP_URL pairs were simultaneously exposed, giving adversaries both the cryptographic key and a direct attack path to session cookies. Roughly 10% of these pairs remained valid, with at least 120 applications left vulnerable.
Removing leaked keys is insufficient. GitGuardian advises not just deleting exposed APP_KEYs but replacing them right away. Every affected environment should be reconfigured with a new key, without delay. That includes production servers, backups, staging, and anything using the old key. Secrets don’t disappear from clones or caches, so static removal doesn’t help. What’s needed is persistent scanning across CI logs, images, and containers, where keys get baked in.
Laravel shouldn’t be keeping sensitive config (like .env) in public repos, yet it keeps happening. Most exposures happen through version control mistakes. Once a key is out, attackers can just fetch session cookies and try decryption locally. If successful, it’s game over.
This isn’t limited to Laravel either. The same pattern is showing up in container builds, Docker layers, and AI apps using MCP (Model Context Protocol). GitGuardian has already validated RCE paths from leaked keys in real deployments, this isn’t theoretical. Secret leaks are becoming one of the top lateral movement enablers, especially in setups lacking rotation policies or centralized secret control.
