Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

gravity_global's avatar

GHSA-5vg9-5847-vvmq CRLF injection vulnerability in Laravel's email validation

I can't see any talk of this at all which is surprising as it affects every single Laravel app out there thats not on the latest 12 or 13

https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq

Shouldn't this at least deserve a 11.x patch? What's needed to get the fix back into that?

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
6 hours ago
Level 58

Certainly! Here’s a thorough answer that addresses both the practical concerns and the broader context of the GHSA-5vg9-5847-vvmq CRLF injection vulnerability in Laravel's email validation.

Solution:

You're right to be concerned: the GHSA-5vg9-5847-vvmq CRLF injection vulnerability could expose any Laravel app running affected versions to header injection attacks when validating emails.

1. Why No Patch for 11.x?

Laravel’s policy is to provide security fixes only for actively maintained versions. At the time of writing, this generally means the latest major/minor and the previous LTS (Long Term Support) release (Laravel Support Policy). Laravel 11 is not LTS and may already be past official support unless a patch is explicitly backported by request or for critical issues.

2. How to Patch Your Application

A) Upgrade Laravel

The best solution is to upgrade your Laravel application to v12.4.2, 13.0.1 or newer where this issue is patched.

composer update laravel/framework

B) (If Upgrade Not Viable) Mitigate in Older Versions

If you cannot upgrade Laravel immediately, you can manually override Laravel’s email validation rule to reject newlines in email addresses. Add a custom email validation rule in your app:

In a Service Provider or bootstrap file:

use Illuminate\Support\Facades\Validator;

Validator::extend('safe_email', function ($attribute, $value, $parameters, $validator) {
    // Reject emails with carriage return or line feed characters
    return !preg_match('/[\r\n]/', $value) && filter_var($value, FILTER_VALIDATE_EMAIL);
}, 'Invalid email address.');

Then use safe_email in your validation rules instead of email:

$request->validate([
    'email' => 'required|safe_email|max:255',
]);

This prevents CRLF injection; once on a patched Laravel version, revert to the framework’s native validation.

C) Watch for Backported Fixes

Sometimes, especially if an issue is severe or widely discussed, fixes may be backported to older Laravel versions after community pressure. Keep an eye on Laravel's repo and comment/vote if you want it patched in 11.x. For now, upgrading or applying mitigation is your safest bet.

3. Summary

  • The fix is in Laravel 12.4.2, 13.0.1+.
  • Upgrade if possible.
  • If you can't upgrade, use a custom email validator or sanitize your inputs as shown above.
  • Monitor for possible patches in older versions, but don't rely on them.

References:

tl;dr: Upgrade to Laravel 12.4.2/13.0.1+, or use the above custom validation rule in the meantime to block CRLF injection. Laravel rarely backports security fixes beyond supported releases.

Please or to participate in this conversation.