Laravel Telescope open
Description
Laravel Telescope is a debugging and monitoring tool that provides detailed insights into requests, exceptions, database queries, queued jobs, and other application internals. When left enabled and publicly accessible in production environments, it exposes sensitive application data including configuration details, environment variables, user sessions, and database queries. This vulnerability occurs when developers fail to properly disable or restrict access to the Telescope dashboard after deployment.
Remediation
Disable Laravel Telescope in production environments or implement strict access controls:
1. Set the TELESCOPE_ENABLED environment variable to false in production:
TELESCOPE_ENABLED=false
2. Alternatively, configure Telescope to only run in specific environments by modifying app/Providers/TelescopeServiceProvider.php:
public function register()
{
if ($this->app->environment('local')) {
$this->app->register(TelescopeServiceProvider::class);
}
}3. If Telescope must remain enabled in production, restrict access using authorization gates in app/Providers/TelescopeServiceProvider.php:
protected function gate()
{
Gate::define('viewTelescope', function ($user) {
return in_array($user->email, [
'admin@example.com',
]);
});
}4. Verify that /telescope route is not publicly accessible after implementing these changes.