CVE-2021-3129

CVE Database · CVE-2021-3129

CVE-2021-3129

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.94%

Published

Jan 12, 2021

Modified

Nov 10, 2025

CISA Known Exploited Vulnerability

Added: 2023-09-18 · Due: 2023-10-09

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBLaravel 8.4.2 debug mode - Remote code execution NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCambionics/laravel-exploits★290 GitHub PoCzhzyker/CVE-2021-3129★163 GitHub PoCjoshuavanderpoll/CVE-2021-3129★146 GitHub PoCSNCKER/CVE-2021-3129★133 GitHub PoCSecPros-Team/laravel-CVE-2021-3129-EXP★78 GitHub PoCnth347/CVE-2021-3129_exploit★69 GitHub PoCcrisprss/Laravel_CVE-2021-3129_EXP★18 GitHub PoCajisai-babu/CVE-2021-3129-exp★13

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products (2)

facade · ignition (up to 2.5.2)vulnerable

laravel · laravel (up to 8.4.2)

References (9)

http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://github.com/facade/ignition/pull/334

PatchThird Party Advisory

https://www.ambionics.io/blog/laravel-debug-rce

ExploitThird Party Advisory

http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html

KEV Catalog EPSS Scores Vendors All CVEs