Overview
CVE-2017-14775 describes a security misconfiguration in Laravel versions prior to 5.5.10 where the remember_me token verification path uses a non-constant-time string comparison in DatabaseUserProvider. This creates a timing channel that can leak information about a valid token and potentially enable an attacker to exploit the remember-me feature to persist a session.
Exploitation in practice occurs when an attacker can observe or submit crafted remember tokens. By measuring response timings while the system checks the token, an attacker can gradually infer the correct token and thereby impersonate a user through a valid remember cookie.
Remediation involves upgrading to Laravel 5.5.10 or later and patching the token check to use a constant-time comparison. The canonical fix is to replace non-constant-time comparisons with hash_equals (PHP 5.6+). After applying the patch, rotate remember_tokens and invalidate existing remember cookies to minimize risk.
Implementation tip: in Laravel's DatabaseUserProvider remember token verification, use hash_equals instead of == or strcmp, and ensure your PHP version supports it. The code fix is demonstrated in the codeFixExample block.
Affected Versions
Laravel < 5.5.10
Code Fix Example
Laravel API Security Remediation
<?php
// VULNERABLE PATTERN (non-constant-time)
$rememberToken = isset($_COOKIE['remember_token']) ? $_COOKIE['remember_token'] : null;
if (!empty($rememberToken) && $rememberToken == $user->remember_token) {
// authenticate user via remember-me
}
// FIX: constant-time token comparison using hash_equals
$rememberToken = isset($_COOKIE['remember_token']) ? $_COOKIE['remember_token'] : null;
if (!empty($rememberToken) && hash_equals($rememberToken, $user->remember_token)) {
// authenticate user via remember-me
}
?>