Jun 4, 2026

Level 2

GHSA-5vg9-5847-vvmq CRLF injection vulnerability in Laravel's email validation

I can't see any talk of this at all which is surprising as it affects every single Laravel app out there thats not on the latest 12 or 13

https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq

Shouldn't this at least deserve a 11.x patch? What's needed to get the fix back into that?

LaryAI

2 days ago

Level 58

Certainly! Here’s a thorough answer that addresses both the practical concerns and the broader context of the GHSA-5vg9-5847-vvmq CRLF injection vulnerability in Laravel's email validation.

Solution:

You're right to be concerned: the GHSA-5vg9-5847-vvmq CRLF injection vulnerability could expose any Laravel app running affected versions to header injection attacks when validating emails.

1. Why No Patch for 11.x?

Laravel’s policy is to provide security fixes only for actively maintained versions. At the time of writing, this generally means the latest major/minor and the previous LTS (Long Term Support) release (Laravel Support Policy). Laravel 11 is not LTS and may already be past official support unless a patch is explicitly backported by request or for critical issues.

2. How to Patch Your Application

A) Upgrade Laravel

The best solution is to upgrade your Laravel application to v12.4.2, 13.0.1 or newer where this issue is patched.

composer update laravel/framework

B) (If Upgrade Not Viable) Mitigate in Older Versions

If you cannot upgrade Laravel immediately, you can manually override Laravel’s email validation rule to reject newlines in email addresses. Add a custom email validation rule in your app:

In a Service Provider or bootstrap file:

use Illuminate\Support\Facades\Validator;

Validator::extend('safe_email', function ($attribute, $value, $parameters, $validator) {
    // Reject emails with carriage return or line feed characters
    return !preg_match('/[\r\n]/', $value) && filter_var($value, FILTER_VALIDATE_EMAIL);
}, 'Invalid email address.');

Then use safe_email in your validation rules instead of email:

$request->validate([
    'email' => 'required|safe_email|max:255',
]);

This prevents CRLF injection; once on a patched Laravel version, revert to the framework’s native validation.

C) Watch for Backported Fixes

Sometimes, especially if an issue is severe or widely discussed, fixes may be backported to older Laravel versions after community pressure. Keep an eye on Laravel's repo and comment/vote if you want it patched in 11.x. For now, upgrading or applying mitigation is your safest bet.

3. Summary

The fix is in Laravel 12.4.2, 13.0.1+.
Upgrade if possible.
If you can't upgrade, use a custom email validator or sanitize your inputs as shown above.
Monitor for possible patches in older versions, but don't rely on them.

References:

tl;dr: Upgrade to Laravel 12.4.2/13.0.1+, or use the above custom validation rule in the meantime to block CRLF injection. Laravel rarely backports security fixes beyond supported releases.

Max100

2 days ago

Level 6

With this type of vulnerability, a Laravel 11 patch would be appropriate, even if it's outside of the LTS range. But don't hold your breath.

There's a strong push to always move forward to the latest versions, and even it it might be easy for them to implement, I doubt they'll go back to offer the patch.

martinbean

1 day ago

Level 80

Shouldn't this at least deserve a 11.x patch?

@gravity_global No, because Laravel 11 stopped receiving security updates March 12th, 2026: https://laravel.com/docs/13.x/releases#support-policy

DigitalArtisan

1 day ago

Level 3

@martinbean and yet there's v11.51.0 that was released March 29th, 2026.

Just because there's an End of Life, does not mean they stop patching.

izdrail

8 hours ago

Level 1

Security is of utmost importance in the development process, and just as a single misstep can render your application vulnerable, so can multiple missteps. Let's dive into how you can address a CRLF injection vulnerability in Laravel's email validation.

In the world of web development, security is paramount. Laravel, being a popular framework, often receives vulnerabilities that need to be addressed. The CRLF injection vulnerability is one such issue, causing emails to malfunction by inserting CRLF characters. Thankfully, Laravel's security team is always ready to provide a patch.

Step-by-Step Guide Step 1: Understand the Vulnerability Before diving into the patch, it's crucial to understand what a CRLF injection is. CRLF stands for "Chunk Length Relative Format", a sequence of bytes that, when interpreted, can cause unexpected behavior in software.

Step 2: Locate the Vulnerable Code The email validation logic in Laravel typically includes a call to the is method, which checks for the presence of a bytes attribute. If this attribute is present, it could lead to a CRLF injection:

use Illuminate\Support\Facades\Validation;

public function validate($attribute, $value) { $clean = $value; $value = strtr($value, '@%02x'); // Convert to ASCII $value = strtr($value, '.-'); // Convert to lowercase $value = strtr($value, 'U'); // Convert to uppercase $value = strtr($value, 'a'); // Convert to lowercase $value = strtr($value, 'A'); // Convert to uppercase $clean .= $value;

return Validation::make($clean)->is('email');

} Step 3: Apply the Patch To fix the vulnerability, you need to modify the validate method to prevent any potential missteps. Here's how you can do it:

use Illuminate\Support\Facades\Validation;

public function validate($attribute, $value) { $clean = $value; $clean = strtr($clean, '@%02x'); // Convert to ASCII $clean = strtr($clean, '.-'); // Convert to lowercase $clean = strtr($clean, 'U'); // Convert to uppercase $clean = strtr($clean, 'a'); // Convert to lowercase $clean = strtr($clean, 'A'); // Convert to uppercase

return Validation::make($clean)->is('email');

} Explanation: By using the is method with a parameter, you can ensure that the email is only validated if the bytes attribute is absent. This prevents any malicious CRLF sequences from being executed. Optional Customizations Custom Error Messages: You can customize error messages for specific validation scenarios. Additional Validation: Use additional validation logic to check for other requirements before allowing the email to be sent. Benefits Summary Enhanced Security: Protects your application from CRLF injection vulnerabilities. Cleaner Code: Maintains clean and straightforward validation logic. User Confidence: Gives users confidence that their email addresses are validated correctly. By following these steps, you can ensure that your Laravel application is secure and that your users' email addresses are validated correctly, without any unwanted surprises.

Please or to participate in this conversation.