GitGuardian uncovers 260,000 leaked Laravel APP_KEYs on GitHub, exposing over 600 apps to remote code execution.

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

Security researchers discovered over 260,000 leaked Laravel APP_KEYs on GitHub, with 600+ applications vulnerable to remote code execution attacks. The vulnerability stems from Laravel's decrypt() function automatically deserializing data, allowing attackers with exposed APP_KEYs to execute arbitrary code. The issue affects both older Laravel versions (CVE-2018-15133) and newer versions with specific session configurations (CVE-2024-55556). Researchers found 63% of exposures come from .env files containing additional sensitive data, and 28,000 APP_KEY/APP_URL pairs were exposed together, making attacks trivial. Proper mitigation requires immediate key rotation, system updates, and continuous secret monitoring rather than simply deleting exposed keys.

Over 600 Laravel Apps Exposed to Remote Code Execution Due to Leaked APP_KEYs on GitHub

I wish we had a simpler PHP framework to use.
Laravel’s dependency on composer, plus the heavy tie in with Vue just makes it an uglier version of the JS Frameworks mentality.
You don’t need composer or any compiler to write good PHP.
A framework that doesn’t rely on any of that would also be easier to manage/modify/maintain/debug.
Alas, Laravel has its big following in the PHP community and has no real competition, so it draws in all the newbies too… and newbies will 100% make mistakes like the one in this post. Senior devs will do it too from time to time… because to be human is to err.