- Update dependency laravel/framework to v12 [SECURITY]#175

Open

blumilk-renovate[bot] wants to merge 1 commit into

mainfrom

renovate/packagist-laravel-framework-vulnerability

blumilk-renovate Bot commented Jun 20, 2026

Contributor

This PR contains the following updates:

Package	Change	Age	Confidence
laravel/framework (source)	`^11.51.0` -> `^12.0.0`

GitHub Vulnerability Alerts

GHSA-5vg9-5847-vvmq

Summary

A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied addresses.

Description

Laravel applications that send email to addresses provided by users — for example during authentication flows or contact forms — may be vulnerable to manipulation of outbound mail content if the address is not adequately sanitized before it reaches the mail transport layer.
An attacker who can supply an email address to such a flow may, under certain conditions, be able to influence the content of emails sent by the application, cause those emails to be delivered to unintended recipients, or cause the application's mail server to send unintended messages.

Impact

Affected applications may be exposed to unauthorized access and mail relay abuse. The severity depends on what the application sends by email and how its mail infrastructure is configured.

Remediation

Upgrade to version 12.60.0 or later, or 13.10.0 or later.

GHSA-crmm-hgp2-wgrp

A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement.

Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended at signing time. This may cause requests to resolve to an unintended resource, and can prevent expiration from being enforced, allowing expired URLs to remain valid indefinitely.

Impact

Expired temporary URLs may continue to be accepted
Requests may resolve to a different resource than the one that was signed
The upload variant may allow writes to reach an unintended destination

Release Notes

laravel/framework (laravel/framework)

`v12.61.1`

[12.x] Preserve empty HTTP attach contents by @GrahamCampbell in #60291
Fix @params typo in Fluent and MessageBag toPrettyJson() docblocks by @Amirhf1 in #60313
[12.x] Fix regex typo in Env::addVariableToEnvContents that prevented quotin… by @Amirhf1 in #60312
[12.x] Fix Number::trim() returning null for INF and NAN values by @Amirhf1 in #60322
[12.x] Fix FIFO queue name normalization in Cloud managed queues by @kieranbrown in #60316
[12.x] Fix Number::pairs() infinite loop when $by is zero or negative by @Amirhf1 in #60324
[12.x] Ensure path seperators aren't encoded in LocalFilesystemAdapter by @jackbayliss in #60350
[12.x] Ensure config is bound before trying to log deprecation notice by @crynobone in #60376

`v12.61.0`

[12.x] Accept Symfony's new control-characters exception message in mailer test by @kieranbrown in #60203
[12.x] Fix queue:failed command to show real class name by @clementmas in #60279
[12.x] Throw ManagedQueueNotFoundException when a managed queue is missing by @kieranbrown in #60276

`v12.60.2`

[12.x] Boot managed queues before service providers boot by @kieranbrown in #60199

`v12.60.1`

[12.x] Rename X-Request-ID header to Cloud-Request-ID by @kieranbrown in #60189

`v12.60.0`

[12.x] Fix Number::fileSize() handling of negative byte values by @Amirhf1 in #60147
[12.x] Remove stale PHPStan ignore comments from type tests by @jradtilbrook in #60167
[12.x] Output cloud request ID in logs by @jradtilbrook in #60166
[12.x] Dedicated Cloud Queue by @kieranbrown in #60181

`v12.59.0`

[12.x] Disable pausing on managed queue workers by @kieranbrown in #59871
[12.x] Fix infinite recursion when defining model scope with attribute as private by @noefleury in #59958
[12.x] Fix infinite recursion when middleware group referencing itself by @noefleury in #60002
[12.x] Backport #60000 to 12.x by @iWader in #60006
[12.x] Narrow attachment url scheme by @benbjurstrom in #60035
[12.x] backport #60045 to 12.x by @levikl in #60052
[12.x] Back port cloud queues by @timacdonald in #60122

`v12.58.0`

[12.x] Memoize credentials in SqsConnector by @kieranbrown in #59867

`v12.57.0`

Preserve types on partialMock() and spy() by @AJenbo in #59384
Fix missing UnitEnum support in ModelNotFoundException by @jtheuerkauf in #59423
[12.x] Fix macros with static closures by @FeBe95 in #59449
Correct Storage::fake() return type by @AJenbo in #59469
[12.x] Fix callable type for freezeTime, freezeSecond, and travelTo by @nbayramberdiyev in #59466
[12.x] Support string abstract in mock/partialMock/spy PHPDoc by @kayw-geek in #59477
Document thrown exceptions in FilesystemAdapter by @AJenbo in #59534
Hint \Redis @mixin on Connection by @AJenbo in #59532
[12.x] Use PDO subclass polyfill by @jnoordsij in #59640
[12.x] Fix infinite rate limiter TTL on custom increments by @paulandroshchuk in #59693
[12.x] Support named credential providers for SQS queue connections by @kieranbrown in #59754
[12.x] Prevent array to string conversion in signature validation by @alies-dev in #59778

`v12.56.0`

[12.x] schedule:list display expression in the correct timezone by @xiCO2k in #59307
[12.x] Fix validation wildcard array message type error by @sadique-cws in #59339
Preserve class type of mocked classes by @AJenbo in #59353

`v12.55.1`

[12.x] Correct truncate exceptions at by @bretto36 in #59239
[12.x] Fix float pluralization in trans_choice() by @JulianGlueck in #59268
[12.x] Fix tests on PHP 8.5 by @SanderMuller in #59251

`v12.55.0`

Add depth parameter to Arr::dot() by @faytekin in #59150
[12.x] Add strict integer validation to Numeric validation rule by @riesjart in #59156
[12.x] Add *OrFail transaction methods to BelongsToMany by @SanderMuller in #59153
Bump tar from 7.5.9 to 7.5.11 in /src/Illuminate/Foundation/resources/exceptions/renderer by @dependabot[bot] in #59164
[12.x] Add missing *OrFail transaction methods to BelongsToMany by @erhanurgun in #59168
[12.x] Add inOrderOf() method to query builder by @faytekin in #59162
[12.x] Add tcp_keepalive option to PhpRedis connector by @heikokrebs in #59158
[12.x] untap PendingRequest by @cosmastech in #59188
[12.x] Fix float to int deprecation in trans_choice() for certain locales by @hamedelasma in #59174
[12.x] Allow touch() to accept multiple columns by @devajmeireles in #59175
Revert "Add composite index to jobs table migration for improved queue polling" by @taylorotwell in #59202
[12.x] Add fluent string validation rule builder by @SanderMuller in #59201
Update Command::withProgressBar phpdoc to account for arrow functions and non-void return types by @billypoke in #58766
[12.x] Lazily evaluate value for constraints in HasOneOrManyThrough by @Jacobs63 in #59231
Add string helper to get initials from a string by @denjaland in #59230
fix: Strip gzip-compressed output from concurrent process response by @NikhiltGhalme in #59224
[12.x] Fix failing tests introduced by #59201 by @SanderMuller in #59207
[12.x] Avoid redundant Util::getParameterClassName() call in container resolution by @SanderMuller in #59220
[12.x] Add missing conditional validation rule builders by @SanderMuller in #59209
[12.x] Skip placeholder replacements when message does not contain them by @SanderMuller in #59211
[12.x] Use array_push with spread operator in MessageBag::all() by @SanderMuller in #59217
[12.x] Cache Route instances in CompiledRouteCollection::getByName() by @SanderMuller in #59221
[12.x] Accept CarbonInterval for retry sleep duration by @riesjart in #59232
[12.x] Fix failing phpstan by @GrahamCampbell in #59245
[12.x] Update comments for PlanetScale MySQL and PostgreSQL by @GrahamCampbell in #59244
[12.x] Use big integers for database cache expiration column by @tanerkay in #59243
[12.x] Display file path and line number for closure routes in route:list by @devajmeireles in #59237
[12.x] Add wantsMarkdown() and acceptsMarkdown() request methods by @joetannenbaum in #59238

`v12.54.1`

[12.x] Makes imports consistent by @nunomaduro in #59149

`v12.54.0`

[12.x] Fix division by zero error in repeatEvery() method by @amirhshokri in #58987
[12.x] Allow app.editor.base_path to be an empty string by @kminek in #58991
[12.x] Add missing, remove unused parameters to docblocks by @mrvipchien in #58989
Fix URL validation for punycode subdomains by @mpa12 in #58982
[12.x] Prevent queue deadlock when reserving a job throws an exception (e.g., attempts overflow) by @sadique-cws in #58978
[12.x] bug: throttle with redis ignores after callback by @RobertBoes in #58990
Update brick/math version constraint to include 0.15 by @julien-boudry in #59005
Revert "Update brick/math version constraint to include 0.15" by @GrahamCampbell in #59009
Bump rollup from 4.46.3 to 4.59.0 in /src/Illuminate/Foundation/resources/exceptions/renderer by @dependabot[bot] in #59013
[12.x] Fix TwoColumnDetail stripping trailing punctuation from second column values by @theritvars in #59010
[12.x] Add support for assertions on BinaryFileResponse by @axlon in #59018
[12.x] fix: array offset deprecation warning by @calebdw in #59019
[12.x] Add tsvector column type for PostgreSQL by @milroyfraser in #59004
Memory Limit passed as string when run from supervisor by @turbo124 in #59049
[12.x] Fix facade cache file permissions by @nkoestinger in #59059
[12.x] Display oldest pending job in queue:monitor output by @jackbayliss in #59073
Fix type() method return type in Illuminate\Filesystem\Filesystem by @GNfsys in #59071
[12.x] Test Improvements by @crynobone in #59068
[12.x] Wrap flags in int-mask-of annotation by @shaedrich in #59082
Fix after-commit observers breaking -ing event cancellation by @eyupcanakman in #59058
[12.x] Fix migrate:fresh failing when database does not exist by @MElkmeshi in #59113
[12.x] Add interval() method to InteractsWithData by @SanderMuller in #59114
[12.x] Hash displayName() in cache lock keys by @A5hleyRich in #59141
[12.x] Improved html test helpers by @jnoordsij in #59140
[12.x] Add Model::withoutRelation() for selective relation unloading by @SanderMuller in #59137
[12.x] Include request context in HTTP client Response::dump() by @SanderMuller in #59136
Fix enum handling in ModelNotFoundException error message by @isaackaara in #59132
[12.x] Update composer.json to enforce commonmark version without DisallowedRawHtmlRenderer exploit by @Smoggert in #59131
[12.x] Suppress chmod errors in Filesystem::replace() for non-POSIX filesystems by @eyupcanakman in #59126
Add composite index to jobs table migration for improved queue polling by @firecow in #59111
[12.x] Load custom markdown extensions for mail by @dasundev in #59051
[12.x] Fix docblock for RateLimiter for() method by @amirhshokri in #59144
[12.x] Deduplicate paths in view:cache by @ganyicz in #59145

`v12.53.0`

[12.x] Add multipleOf support to JsonSchema numeric types by @Amirhf1 in #58903
[12.x] chore: don't format notifiables in NotificationSender::send by @calebdw in #58900
[12.x] Add vector option to whereFullText for pre-computed tsvector columns by @milroyfraser in #58893
[12.x] Add array key support for buildMorphMapFromModels() function by @josephkerkhof in #58891
[12.x] Fix RequestException summarizing for Guzzle streamed responses by @cosmastech in #58909
[12.x] Tests for streamed RequestException by @cosmastech in #58910
Support a serializable classes value on caches by @taylorotwell in #58911
[12.x] Simplify TokenGuard methods by @Amirhf1 in #58923
[12.x] Add uniqueItems support to JsonSchema ArrayType by @Amirhf1 in #58922
[12.x] Add tests for PhpRedisClusterConnection flushdb method by @miladev95 in #58917
[12.x] Add support for named arguments in event dispatching and broadcasting by @ph7jack in #58913
[12.x] Allow down command to refresh maintenance mode options by @alies-dev in #58918
[12.x] Rollback lingering PDO transaction before retrying on commit deadlock by @dxnter in #58906
[12.x] Simplify queue resolution using match expression by @josephkerkhof in #58928
Bump tar from 7.5.7 to 7.5.9 in /src/Illuminate/Foundation/resources/exceptions/renderer by @dependabot[bot] in #58931
[12.x] Fix model serialization in queue jobs by @axlon in #58939
[12.x] Change Mail text alignment from left to start by @zvizvi in #58935
[12.x] Refactor convertValuesToBoolean to use match for cleaner logic by @josephkerkhof in #58927
[12.x] Allow Scheduled Command Event macros to be applied to schedule groups by @stevebauman in #58926
[12.x] Fix race condition on creating the real-time facade cache file (#58945) by @sosias in #58947
[12.x] Show all mismatched values in assertSessionHasAll failure output by @dxnter in #58946
Fix RetryCommand not working for SQS FIFO queue by @cwang22 in #58936
[12.x] Improve return types for Wormhole and InteractsWithTime by @KentarouTakeda in #58951
[12.x] Add Cache::funnel() for concurrency limiting with any cache driver by @mathiasgrimm in #58439
[12.x] Ensure oldest_pending is displayed in queue:monitor by @jackbayliss in #58952
[12.x] Fix/cross database null safe equals by @patrickomeara in #58962
[12.x] Add MySQL inRandomOrder regression tests by @laraib15 in #58966
[12.x] Add missing @throws docblocks to Illuminate/Http by @Amirhf1 in #58965
Fix Invalid Types by @RyanSchaefer in #58963
JSONP Check by @taylorotwell in #58971
[12.x] Resolve Stan Mailable CI error by @jackbayliss in #58972
[12.x] Remove unnecessary dirname calls. by @jelleroorda in #58984
[12.x] Add missing @throws docblocks to Serializer and Type classes in Illuminate/JsonSchema by @mrvipchien in #58981

`v12.52.0`

[12.x] Fix: @return in doc blocks by @alipowerful7 in #58746
[12.x] Ensure defer callbacks aren't discarded when using the sync queue by @jackbayliss in #58745
[12.x] Refactor: remove Arr::wrap() and add Collection::wrap() by @alipowerful7 in #58748
Add support for temporaryUploadUrl to the local filesystem by @mnapoli in #58499
Only merge cached casts for accessed attribute by @ug-christoph in #57627
[12.x] Sort stan issue on PendingRequest by @jackbayliss in #58760
[12.x] Update alphabetical order in facades.yml by @luisscruza in #58757
[12.x] allow string-based expressions for selectExpression() by @tpetry in #58753
Revert "[12.x] Adjust freshTimestamp for SQL Server" by @calebdw in #58758
[12.x] Fix return empty Collection for non-model JSON:API resources by @noir4y in #58752
[12.x] Refactor: remove extra space by @alipowerful7 in #58751
[12.x] Standardize regex delimiter in ObserverMakeCommand::parseModel by @mohammadRezaei1380 in #58777
[12.x] Fix incorrect @return type in VendorPublishCommand::publishTag by @mohammadRezaei1380 in #58774
Fix phpdoc type in promptForMissingArgumentsUsing by @billypoke in #58768
[12.x] cast Batch::progress() return value to int by @zjbarg in #58767
[12.x] Drop Collection import from AbstractRouteCollection by @jackbayliss in #58769
[12.x] Fix missing InputArgument::IS_ARRAY in getArguments PHPDoc by @kayw-geek in #58771
[12.x] Fix: @return for resolveResourceRelationshipIdentifiers() by @alipowerful7 in #58764
[12.x] Mailable::later() does not set delay on SendQueuedMailable instance by @amirhshokri in #58765
[12.x] Refactor: use enum_value() helper for environment value extraction by @alipowerful7 in #58785
[12.x] Add delay support assertions for queued mailables by @amirhshokri in #58787
Fix MySQL connection string to use --ssl-mode=DISABLED for modern clients by @AJenbo in #58786
[12.x] Refactor: standardize regex by @alipowerful7 in #58789
[12.x] Allow $preserveKeys param for LazyCollection random by @jackbayliss in #58791
[12.x] Refactor: new Collection() by @alipowerful7 in #58793
[12.x] Add makeMany method to Factory by @jackbayliss in #58795
[12.x] Add withoutAfterMaking() and withoutAfterCreating() factory helpers by @ziadoz in #58794
[12.x] Backport withMiddleware changes from 13.x by @jackbayliss in #58798
[12.x] Fix: add |array in doc block by @alipowerful7 in #58805
[12.x] Add option to opt out of parallel safe cache prefix by @jackbayliss in #58801
[12.x] Normalize Throwable docblocks to fully-qualified name by @amirhshokri in #58802
[12.x] Refactor: remove unnecessary \BackedEnum by @alipowerful7 in #58807
Use atomic writes when creating inline Blade component views by @cyppe in #58815
[12.x] Add missing tests for Request::fullUrlWithoutQuery by @miladev95 in #58814
Improve File::toKilobytes() DocBlock return type by @Amirhf1 in #58811
Use atomic writes in BladeCompiler to prevent race condition by @cyppe in #58812
[12.x] Refactor: add JSON decoded by @alipowerful7 in #58830
[12.x] Refactor: add missing @throws tag in dock block by @alipowerful7 in #58829
[12.x] Formatting by @amirhshokri in #58828
[12x]Refactor: remove unnecessary \BackedEnum in HasAttributes.php by @mohammadRezaei1380 in #58827
[12x] Refactor conditional message formatting using match expression by @mohammadRezaei1380 in #58825
[12.x] Refactor: use match expression by @alipowerful7 in #58824
[12.x] Simplify compileSelect method return by @amirhshokri in #58821
[12.x] Refactor: simplify code by @alipowerful7 in #58820
[12.x] Refactor: remove unnecessary \BackedEnum by @alipowerful7 in #58818
[12.x] Ensure HttpClientTest doesnt flake in Windows CI by @jackbayliss in #58817
[12.x] Refactor: JSON decoded to decoded JSON by @alipowerful7 in #58849
[12.x] Allow closure parameters in docblock for when() helper function by @gazben in #58862
[12.x] Fix typo in cache composer.json by @amirhshokri in #58875
[12.x] Remove unnecessary forgetDriver()from TestCaches by @jackbayliss in #58878
Revert "[12.x] Fixed precision checks for column types in SQL Server grammar" by @taylorotwell in #58888
[12.x] Display closures and standalone functions correctly in exception trace by @avosalmon in #58879

`v12.51.0`

Remove type hint in favor of return type by @WendellAdriel in #58621
[12.x] Adjust freshTimestamp for SQL Server by @aimeos in #58614
[12.x] Handle binary data in Js::encode() debug renderer by @denis-chmel in #58618
[12.x] Add ArrayObject props to AsEncryptedArrayObject to match AsArrayObject by @AndrewMast in #58619
fix: Arr::wrap() return type by @calebdw in #58625
[12.x] Fix typo in type definition by @shaedrich in #58624
[12.x] Prevent dupe locale checks in Lang::get() when locale matches fallback by @jackbayliss in #58626
[12.x] chore: add deprecation to Request::get() by @calebdw in #58635
[12.x] Fix Str::substrReplace for edge cases with negative offset or length by @jboonstra70 in #58634
[12.x] Refactor: improve doc blocks by @alipowerful7 in #58630
[12.x] Add BatchCancelled Event by @jackbayliss in #58627
[12.x] Fix typo in type definition by @amirhshokri in #58638
[12.x] Update reload tasks to include schedule:interruption by @adevade in #58637
docs: add missing description to FilesystemAdapter::report() docblock by @eranishojha in #58640
[12.x] Allow closures for values in firstOrCreate and createOrFirst by @gcavanunez in #58639
[12.x] Support afterSending method on notification by @gdebrauwer in #58654
[12.x] Allow Stringable::deduplicate() to accept array of characters by @Tresor-Kasenda in #58649
Update regex for trans_choice to allow negative ranges by @hmazter in #58648
Added timeout method to query builder for MySQL by @Vladelis in #58644
[12.x] Add assertJobs method on PendingBatchFake by @gdebrauwer in #58606
[12.x] Fix batch counts when deleteWhenMissingModels skips missing model jobs by @yankewei in #58541
[12.x] Fix Postgres sequence starting value for custom schemas/connections by @joteejotee in #58199
[12.x] Add whenFails and whenPasses methods on Validator by @gdebrauwer in #58655
[12.x] Bus::assertBatched() with array by @gdebrauwer in #58659
[12.x] Refactor: improve doc block by @alipowerful7 in #58677
[12.x] Add withoutHeader() method to Response by @miladev95 in #58671
[12.x] Add integer array key support in phpdocs by @dluague in #58668
Illuminate\Console\Parser typehint fix. by @LastDragon-ru in #58670
fix: replace substr with mb_substr for user agent encoding by @jonagoldman in #58703
chore: fix the Laravel ASCII SVG so that its characters perfectly align to columns by @markjaquith in #58702
[12.x] Allow retrieving all view data via viewData() in TestResponse by @shane-zeng in #58700
Exception page: fix pop in for non main frames by @martinpl in #58698
[12.x] Add missing @throws annotations to validation rules and JsonResponse by @QDenka in #58697
[12.x] Add conditional return type hint for Route::middleware() method. by @marcreichel in #58699
[12.x] Improved type hints for when() helper function. by @marcreichel in #58696
[12.x] Support Eloquent builders and relations as subqueries to update queries by @axlon in #58692
Add cache prefix isolation for parallel testing (#57584) by @HeathNaylor in #58691
Fix whereBetween to accept DatePeriod and handle missing end dates (#58092) by @HeathNaylor in #58687
Fix Str::isUrl() returning false for single-char domain names (#58538) by @HeathNaylor in #58686
Fix HTTP client response type hints for IDE compatibility (#58555) by @HeathNaylor in #58684
Fix types for ConfirmableTrait::confirmToProceed by @rolfvandekrol in #58681
[12.x] Refactor: simplify return with ?? by @alipowerful7 in #58679
[12.x] Refactor: replace header / headers with standardized header(s) by @alipowerful7 in #58678
Add SSL cert/key support to MySQL schema dump and load (#57821) by @HeathNaylor in #58690
Allow specifying Redis connection on Redis-based queue middleware by @markieo1 in #58656
[12.x] Use JS to create the Laravel ASCII SVG logo on the fly by @markjaquith in #58719
[12.x] Feat: add orderByPivotDesc() by @alipowerful7 in #58720
[12.x] Refactor: add @throws \InvalidArgumentException to doc blocks by @alipowerful7 in #58714
[12.x] Restore original dispatcher bindings after precognitive request by @pindab0ter in #58716
[12.x] Ensure throwIfStatus / throwUnlessStatus work for all status codes by @jackbayliss in #58724
Fix Queue::fake() not releasing unique job locks between tests (#58533) by @HeathNaylor in #58718
[12.x] Refactor: add _ to more readability digit by @alipowerful7 in #58738
[12.x] Refactor: Clean up unused $config parameters in ConcurrencyManager by @alizadeh7091 in #58739
[12.x] Refactor: use Dumpable by @alipowerful7 in #58743
[12.x] Update forever cookie factory docblock to reflect 400-day duration by @jackbayliss in #58744

`v12.50.0`

[12.x] Test Improvements by @crynobone in #58531
[12.x] Resolve the correct queue factory when using laravel octane by @BertvanHoekelen in #58530
[12.x] Clear parallel test view cache directories by @eduPHP in #58525
[12.x] fix: allow phpstan to understand default value for Request::enum by @calebdw in #58529
[12.x] feat: allow queued listeners to be unique by @calebdw in #58402
[12.x] Use morphMap when serializing model identifiers by [@cosmastech](https://redirect.github.com/cosmast

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.


          - Update dependency laravel/framework to v12 [SECURITY]

849727e

blumilk-renovate Bot requested a review from a team as a code owner

June 20, 2026 10:34

blumilk-renovate Bot added dependencies renovate security labels

blumilk-renovate Bot requested a review from Blusia

June 20, 2026 10:34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies renovate security