Laravel Ignition Reflected Cross-Site Scripting
Description
The Laravel Ignition component, a debugging and error page tool, contains a reflected cross-site scripting (XSS) vulnerability due to insufficient input sanitization. When Ignition is enabled (typically in debug mode), specially crafted requests can inject malicious scripts that are reflected back to users without proper encoding, allowing arbitrary JavaScript execution in the victim's browser.
Remediation
Immediately disable debug mode in production environments by setting the APP_DEBUG environment variable to false in your .env file:
APP_DEBUG=false
Additionally, ensure that the Ignition package is only installed as a development dependency and not deployed to production. Update your composer.json to include facade/ignition in the require-dev section only:
"require-dev": {
"facade/ignition": "^2.0"
}If Ignition must be used, upgrade to version 2.0.5 or later where this vulnerability has been patched. Verify your configuration by checking that APP_ENV is set to 'production' and confirm Ignition routes are not accessible by attempting to access /_ignition/scripts on your production domain.