On January 13, Laravel released (and re-released) a series of security updates.
On January 27, they released one more update for the same issue. The advisory was publicly published on February 2.
This security incident affects all Flarum installations created before January 28, 2021. We recommend you update the dependency as soon as possible.
In your Flarum folder, run the following command:
composer update illuminate/database --no-dev -a
Composer will show an output similar to the following:
Upgrading illuminate/database (v6.20.10 => v6.20.16)
If the version on the right of the arrow is
6.20.14 or higher, you have the fix.
If Composer says there's nothing to update, you can run
composer show illuminate/database to see the currently installed version and confirm it's already above 6.20.14
We have conducted tests to evaluate the impact on Flarum. We have not found any situation in which the vulnerability can be exploited in Flarum and its bundled extensions in a significant way. The only impact found is the ability to discover pairs of restricted discussion IDs and their author IDs through brute-force. We have not found any way to leak content or perform unauthorized actions.
However there is a high chance for some community extensions to be impacted by the vulnerability. The single command above will protect both Flarum and all installed community extensions.
We have not released a Flarum update since the dependency can be updated independently from Flarum and does not require any change to Flarum or extension code.
Extension developers can learn more about the issue here. If your code is impacted, we recommend you add additional validation and/or type casting to future-proof your code again this kind of vulnerabilities.
Laravel security advisory https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
Advisory for the second update https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg
PS: you might have seen a different Laravel security incident discovered in November and talked about recently. Flarum is not using that particular Laravel component and is thus unaffected.