CVE-2021-3129

CVE-2021-3129 is a critical-severity vulnerability in Facade Ignition with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-09-18).

Key facts

Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

CVE-2021-3129: Laravel Ignition Unauthenticated Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-3129
CVSS v3.1 9.8 Critical
CVSS v2 7.5 High
EPSS 0.99943 (99.71st percentile)
KEV Yes — added to CISA catalog 2023-09-18
CWE Not specified in source data
Affected facade/ignition >=2.5.0, <2.5.2 (exploitable when Laravel debug mode is enabled)

Summary

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Background

Ignition is the default error page for Laravel applications. It provides a beautiful debug interface when APP_DEBUG=true. Because it ships with Laravel and is often exposed in development and staging environments, a vulnerability in Ignition can have broad impact across the PHP ecosystem.

Root Cause

No CWE identifier is assigned in the available source data. The flaw stems from unsafe file operations: user-supplied input is passed directly to file_get_contents() and file_put_contents() without adequate validation or path restriction. This allows an attacker to read sensitive files and write executable content to predictable locations on the filesystem, which can then be triggered by the application.

Impact

The vulnerability is rated Critical under CVSS:3.1 with a base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  • Confidentiality: High — arbitrary file read enables extraction of source code, credentials, and configuration.
  • Integrity: High — arbitrary file write allows modification of application logic.
  • Availability: High — an attacker can overwrite critical files or deploy a web shell, leading to denial of service.
  • Scope: Unchanged — the vulnerable component is the Ignition debug handler itself.

Exploitation Walkthrough

Ethics Notice: This section is provided for defensive awareness only. Do not test against systems you do not own or have explicit permission to assess.

The attack vector is unauthenticated and network-accessible. When Laravel runs with debug mode enabled, Ignition exposes endpoints that accept a viewFile parameter. An attacker can supply a path to a writable log or cache file combined with crafted content. By chaining a file write into a subsequent file inclusion or rendering operation, the attacker achieves remote code execution. Defenders should treat any Laravel application with Ignition <2.5.2 and APP_DEBUG=true as critically exposed.

Affected and Patched Versions

  • Affected: facade/ignition versions >=2.5.0, <2.5.2
  • Exploitation condition: Laravel debug mode enabled (notably Laravel before 8.4.2)
  • Patched: Upgrade to facade/ignition 2.5.2 or later. The fix was merged in PR #334 and commit 11ffca14abd22db779d90b12e193f8000f6d184b.

Remediation

  1. Upgrade immediately to facade/ignition 2.5.2 or later via Composer.
  2. Disable debug mode in production: set APP_DEBUG=false in .env.
  3. Compensating controls: Restrict access to /vendor paths at the web-server or WAF layer; block requests to Ignition endpoints from untrusted sources.
  4. Rotate secrets if the application was running with debug mode exposed.

Detection

  • Monitor web logs for requests to Ignition endpoints containing viewFile or unexpected file paths.
  • Look for anomalous file_put_contents or file_get_contents calls in application audit logs.
  • Scan filesystems for newly created PHP files inside storage/logs, storage/framework/cache, or other writable directories.
  • Use the CISA KEV catalog as a prioritization signal.

Assessment

With an EPSS score of 0.99943, this vulnerability is among the most likely to be exploited in the wild. Its presence on the CISA Known Exploited Vulnerabilities catalog (added 2023-09-18) confirms active exploitation.

Key takeaways:

  1. Debug interfaces should never be reachable from untrusted networks; the convenience of detailed error pages is outweighed by the attack surface they create.
  2. A single insecure file operation in a widely-used dependency can cascade into unauthenticated RCE across an entire ecosystem.

References

Frequently asked questions

What is CVE-2021-3129?
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
How severe is CVE-2021-3129?
CVE-2021-3129 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-3129 being actively exploited?
Yes. CVE-2021-3129 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-09-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-3129?
CVE-2021-3129 affects Facade Ignition. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-3129?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-3129 have an EU (EUVD) identifier?
Yes. CVE-2021-3129 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-0599. It is also flagged as exploited in the EUVD (since 2023-09-18).
When was CVE-2021-3129 published?
CVE-2021-3129 was published on 2021-01-12 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Facade Ignition

All CVEs affecting Facade Ignition →