Overview
CVE-2017-9303 describes an Unrestricted Resource Consumption issue in Laravel 5.4.x prior to 5.4.22 where the host portion of a password-reset URL was not properly constrained, enabling attacker-controlled hosts in phishing scenarios. This maps to CWE-20 (Improper Input Validation). In practice, an attacker could craft a password reset flow that renders a URL pointing to a domain they own, luring users into submitting credentials on a phishing site. The vulnerability affects the way Laravel builds absolute reset links during the password reset process, potentially allowing an attacker to influence the host shown to the user when the reset link is delivered via email or other channels.
Affected Versions
Laravel 5.4.x before 5.4.22
Code Fix Example
Laravel API Security Remediation
// Vulnerable
$resetUrl = url('/password/reset', ['token' => $token, 'email' => $user->email]);
// ... send in email
Mail::to($user->email)->send(new ResetPasswordMail($resetUrl));
// Fixed
use Illuminate\\Support\\Facades\\URL;
URL::forceRootUrl(config('app.url'));
$resetUrl = url('/password/reset', ['token' => $token, 'email' => $user->email]);
// ... send in email
Mail::to($user->email)->send(new ResetPasswordMail($resetUrl));