Recipe for Disaster: Cooking up RCE in LaRecipe
Vulnerability ID: CVE-2025-53833
CVSS Score: 10.0
Published: 2025-07-14
A critical Server-Side Template Injection (SSTI) vulnerability in the LaRecipe documentation package allows unauthenticated attackers to execute arbitrary code via simple query string manipulation.
TL;DR
LaRecipe < 2.8.1 tries to 'fix' relative anchor links by prepending the current request URI. Unfortunately, it uses the full URI including the query string. By appending a Blade template payload (e.g., ?{{system('id')}}) to the URL, an attacker can trick the server into rendering and executing malicious code. CVSS 10.0. Update immediately.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-1336 (SSTI)
- CVSS v3.1: 10.0 (Critical)
- Attack Vector: Network (HTTP GET)
- EPSS Score: 16.76%
- Exploit Status: PoC Available
- Impact: Remote Code Execution
Affected Systems
- LaRecipe Documentation Package < 2.8.1
- Laravel applications using LaRecipe
-
LaRecipe: < 2.8.1 (Fixed in:
2.8.1)
Code Analysis
Commit: c1d0d56
Fixed security issue regarding replaceLinks
- $content = str_replace('"#', '"'.request()->getRequestUri().'#', $content);
+ $content = str_replace('"#', '"'.request()->getPathInfo().'#', $content);
Exploit Details
- GitHub Gist: Proof of Concept for LaRecipe SSTI
- ProjectDiscovery: Nuclei Detection Template
Mitigation Strategies
- Update the affected package immediately.
- Implement WAF rules to block Blade syntax in query strings.
- Audit code for usage of 'getRequestUri' in view rendering logic.
Remediation Steps:
- Run
composer show saleem-hadad/larecipeto check your version. - Run
composer update saleem-hadad/larecipeto upgrade to >= 2.8.1. - Verify the fix by attempting a benign injection (e.g.,
{{7*7}}) against a non-production instance.
References
Read the full report for CVE-2025-53833 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)