Overview
CVE-2017-14775 describes a timing-attack risk in Laravel's remember_me flow where the DatabaseUserProvider did not perform constant-time token comparison. This falls under CWE-200: Exposure of Sensitive Information. In affected releases (prior to 5.5.10), an attacker could measure differences in verification time to infer a valid remember_me token and sidestep authentication for logged-in users.\n\nIn practice, Laravel stored a remember_me token in a cookie and compared it to the token in the database. If that comparison used a non-constant-time operator (for example == or !=), timing differences could reveal partial token information, enabling session hijacking without credentials in some cases.\n\nRemediation is to upgrade to Laravel 5.5.10+ where the token check uses constant-time comparison or to patch the code to use a constant-time function such as hash_equals in the DatabaseUserProvider. After applying the fix, rotate remember tokens and validate all member sessions. Consider additional hardening like secure cookie attributes (HttpOnly, Secure, SameSite) and token rotation on login.\n\nThis vulnerability is documented as CVE-2017-14775 and maps to CWE-200, highlighting the risk of exposing sensitive data through timing side channels in authentication flows.
Affected Versions
Laravel <= 5.5.9 (before 5.5.10)
Code Fix Example
Laravel API Security Remediation
// Vulnerable
$rememberTokenFromCookie = $_COOKIE['remember_me'] ?? '';
if ($rememberTokenFromCookie != $user->remember_token) {
// invalid token
http_response_code(403);
exit;
}
// Fixed
$rememberTokenFromCookie = $_COOKIE['remember_me'] ?? '';
if ($rememberTokenFromCookie === '' || !hash_equals($user->remember_token, $rememberTokenFromCookie)) {
http_response_code(403);
exit;
}