How Can I prevent OS command injection in Laravel cookie ?

Hi, recently i was scanning our laravel Web application by uisng burp suit .

it find bellow issues , ( it not a false positive, because when i run this , the request gets hang for 21 seconds. )

The mac JSON parameter, within the Base64-decoded value of the ourapp_session cookie appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping -n 21 127.0.0.1||ping -c 21 127.0.0.1 #' |ping -n 21 127.0.0.1||ping -c 21 127.0.0.1 #" |ping -n 21 127.0.0.1 was submitted in the mac JSON parameter, within the Base64-decoded value of the medicina_pharmacy_session cookie. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Issue background Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.

The actual Requeast " GET /product/cialis-tadalafil HTTP/2 Host: ourdomain Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: XSRF-TOKEN=eyJpdiI6ImdEb3htYWVkUGFXNDBzWDlzbVZpOXc9PSIsInZhbHVlIjoiRmFnSFRZTVAvOThoYnRMY1JrZU5jeUo0bjRYSGtVazFBVTd2eEx4aWwzb0NCUXFrU1oySHY3YlYzY0h0VUJ0Nzg4N0JWZzFpajJQck91Uk1LUFlwbEIvS1llamNtZVhDSmN1RlhWbFJ6eFh3RW9aYW94emViMnhsTlI2eHYvUlAiLCJtYWMiOiIzZjRmOTRiMTc0MjY4N2QzYTYzNDdmMTQzZTEzNzI1Y2M3YTMyMjhhYTM1YmI5YzMyYjA1NWU0NDQ0MzA2NzY0IiwidGFnIjoiIn0%3D; ourapp_session=eyJpdiI6IjZ5YXhiYlMyYXA0S0dpdVRtbU9XUlE9PSIsInZhbHVlIjoiV21OTUx6SGtZRlZ0dTl2QWk5aGdwcFNhc1FuVEh2Z1h3Tkw3bVhoZVMzdUswcXNRODM1RG9JZTBEV0xKTmtURmNPM3I5ZHJMVVpMRjBjZW5oMUxnMTFjbHdlZkJTQ3FuMUZnSkdDR056MzI3RUFUN295ZHlaU1psMTJMQmhIWm4iLCJtYWMiOiI2Zjc1MmYzODkxNWNlY2RiZDBkYmYwYjVhOTMxMmNmZDEwYTEzZGNhZDI0YWEzYTg3NzIxZWI1NjNmMzVjMjBjfHBpbmcgLW4gMjEgMTI3LjAuMC4xfHxgcGluZyAtYyAyMSAxMjcuMC4wLjFgICMnIHxwaW5nIC1uIDIxIDEyNy4wLjAuMXx8YHBpbmcgLWMgMjEgMTI3LjAuMC4xYCAjXFxcIiB8cGluZyAtbiAyMSAxMjcuMC4wLjEiLCJ0YWciOiIifQ%3d%3d Upgrade-Insecure-Requests: 1 Referer: mydomain Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="112", "Chromium";v="112" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 " My question: a) this Base64 session is created by Larvel itself, How can this be vulnarable ?

b) how to prevent this ?