Skip to content

⚠️ MEDIUM: Laravel APP_KEY and weak DB password in .env.devspace #3623

Description

@muhamedfazalps

Exposed Credentials

File: devspace/.env.devspace

Laravel APP_KEY

APP_KEY=base64:R7ErAo+lGcenuwxia/CG4raozxe7lYviGc7gHizfUHw=

Database Credentials

DB_USERNAME=codeweek
DB_PASSWORD=pass123
DB_DATABASE=codeweek

Impact

The Laravel APP_KEY is used for:

  1. Encrypting cookies and sessions — exposure allows session hijacking
  2. Encrypting model attributes — if used, encrypted data can be decrypted
  3. CSRF token generation — predictable tokens could allow CSRF attacks
  4. Password reset token signing — forged tokens could reset any user's password

The weak database password (pass123) is easily guessable.

Recommendation

  1. Regenerate the Laravel APP_KEY immediately (php artisan key:generate)
  2. Use a strong database password instead of pass123
  3. Move secrets to environment variables managed by the deployment platform
  4. Add this file to .gitignore if it contains real credentials

This issue was automatically generated as part of a security audit. For support: buymeacoffee.com/muhamedfazalps

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions