CVE-2021-3129
CVE-2021-3129 is a critical-severity vulnerability in Facade Ignition with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-09-18).
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-09-18)
- EU (EUVD) id: EUVD-2021-0599
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-09-18)
- Affected product: Facade Ignition
- Published:
- Last modified:
Description
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
CVE-2021-3129: Laravel Ignition Unauthenticated Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-3129 |
| CVSS v3.1 | 9.8 Critical |
| CVSS v2 | 7.5 High |
| EPSS | 0.99943 (99.71st percentile) |
| KEV | Yes — added to CISA catalog 2023-09-18 |
| CWE | Not specified in source data |
| Affected | facade/ignition >=2.5.0, <2.5.2 (exploitable when Laravel debug mode is enabled) |
Summary
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Background
Ignition is the default error page for Laravel applications. It provides a beautiful debug interface when APP_DEBUG=true. Because it ships with Laravel and is often exposed in development and staging environments, a vulnerability in Ignition can have broad impact across the PHP ecosystem.
Root Cause
No CWE identifier is assigned in the available source data. The flaw stems from unsafe file operations: user-supplied input is passed directly to file_get_contents() and file_put_contents() without adequate validation or path restriction. This allows an attacker to read sensitive files and write executable content to predictable locations on the filesystem, which can then be triggered by the application.
Impact
The vulnerability is rated Critical under CVSS:3.1 with a base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- Confidentiality: High — arbitrary file read enables extraction of source code, credentials, and configuration.
- Integrity: High — arbitrary file write allows modification of application logic.
- Availability: High — an attacker can overwrite critical files or deploy a web shell, leading to denial of service.
- Scope: Unchanged — the vulnerable component is the Ignition debug handler itself.
Exploitation Walkthrough
Ethics Notice: This section is provided for defensive awareness only. Do not test against systems you do not own or have explicit permission to assess.
The attack vector is unauthenticated and network-accessible. When Laravel runs with debug mode enabled, Ignition exposes endpoints that accept a viewFile parameter. An attacker can supply a path to a writable log or cache file combined with crafted content. By chaining a file write into a subsequent file inclusion or rendering operation, the attacker achieves remote code execution. Defenders should treat any Laravel application with Ignition <2.5.2 and APP_DEBUG=true as critically exposed.
Affected and Patched Versions
- Affected:
facade/ignitionversions>=2.5.0, <2.5.2 - Exploitation condition: Laravel debug mode enabled (notably Laravel before 8.4.2)
- Patched: Upgrade to
facade/ignition2.5.2 or later. The fix was merged in PR #334 and commit11ffca14abd22db779d90b12e193f8000f6d184b.
Remediation
- Upgrade immediately to
facade/ignition2.5.2 or later via Composer. - Disable debug mode in production: set
APP_DEBUG=falsein.env. - Compensating controls: Restrict access to
/vendorpaths at the web-server or WAF layer; block requests to Ignition endpoints from untrusted sources. - Rotate secrets if the application was running with debug mode exposed.
Detection
- Monitor web logs for requests to Ignition endpoints containing
viewFileor unexpected file paths. - Look for anomalous
file_put_contentsorfile_get_contentscalls in application audit logs. - Scan filesystems for newly created PHP files inside
storage/logs,storage/framework/cache, or other writable directories. - Use the CISA KEV catalog as a prioritization signal.
Assessment
With an EPSS score of 0.99943, this vulnerability is among the most likely to be exploited in the wild. Its presence on the CISA Known Exploited Vulnerabilities catalog (added 2023-09-18) confirms active exploitation.
Key takeaways:
- Debug interfaces should never be reachable from untrusted networks; the convenience of detailed error pages is outweighed by the attack surface they create.
- A single insecure file operation in a widely-used dependency can cascade into unauthenticated RCE across an entire ecosystem.
References
- http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html
- https://github.com/facade/ignition/pull/334
- https://www.ambionics.io/blog/laravel-debug-rce
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
- https://github.com/facade/ignition/commit/11ffca14abd22db779d90b12e193f8000f6d184b
- https://github.com/FriendsOfPHP/security-advisories/blob/master/facade/ignition/CVE-2021-3129.yaml
- https://github.com/facade/ignition
Frequently asked questions
- What is CVE-2021-3129?
- Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
- How severe is CVE-2021-3129?
- CVE-2021-3129 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-3129 being actively exploited?
- Yes. CVE-2021-3129 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-09-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-3129?
- CVE-2021-3129 affects Facade Ignition. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-3129?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-3129 have an EU (EUVD) identifier?
- Yes. CVE-2021-3129 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-0599. It is also flagged as exploited in the EUVD (since 2023-09-18).
- When was CVE-2021-3129 published?
- CVE-2021-3129 was published on 2021-01-12 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html
- https://github.com/facade/ignition/pull/334
- https://www.ambionics.io/blog/laravel-debug-rce
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129
Affected products (1)
- cpe:2.3:a:facade:ignition:*:*:*:*:*:laravel:*:*
More vulnerabilities in Facade Ignition
- CVE-2021-43996 — Critical (CVSS 9.8): The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can…
- CVE-2020-13909 — Critical (CVSS 9.8): The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x…