PT-2021-4652 · Laravel +1 · Laravel +1

Abergmann

·

Published

2021-01-12

·

Updated

2025-11-10

·

CVE-2021-3129

CVSS v3.1
10
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Laravel versions prior to 8.4.2 Ignition versions prior to 2.5.2
Description The issue is related to insecure usage of 
file get contents()
and 
file put contents()
in the Ignition library used by Laravel. This allows unauthenticated remote attackers to execute arbitrary code when debug mode is enabled. The vulnerability is exploitable on sites using Laravel before version 8.4.2. It has been reported that this issue is being actively exploited, with attackers targeting cloud-hosted large language model services by leveraging stolen cloud credentials.
Recommendations For Laravel versions prior to 8.4.2, update to version 8.4.2 or later to resolve the issue. For Ignition versions prior to 2.5.2, update to version 2.5.2 or later to resolve the issue. As a temporary workaround, consider disabling debug mode in Laravel until a patch is applied. Restrict access to the Ignition module to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2021-05345
CVE-2021-3129
GHSA-4QWP-7C67-JMCC

Affected Products

Ignition
Laravel