Vulnerability DatabaseCVE-2021-3129

CVE-2021-3129:
PHP vulnerability analysis and mitigation

Overview

CVE-2021-3129 affects Ignition before version 2.5.2, as used in Laravel and other products. The vulnerability allows unauthenticated remote attackers to execute arbitrary code due to insecure usage of filegetcontents() and fileputcontents() functions. This vulnerability is particularly exploitable on sites using debug mode with Laravel versions before 8.4.2 (NVD).

Technical details

The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from unsafe handling of file operations in the MakeViewVariableOptionalSolution component, which could allow attackers to exploit stream wrappers and execute arbitrary code. The vulnerability was fixed by implementing proper path validation to disallow stream wrappers and ensuring files end with .blade.php extension (Github PR).

Impact

The vulnerability enables unauthenticated remote attackers to execute arbitrary code on affected systems. This could lead to complete system compromise, allowing attackers to gain unauthorized access, modify data, and potentially take full control of the affected server (NVD).

Mitigation and workarounds

Organizations should upgrade Ignition to version 2.5.2 or later, and Laravel to version 8.4.2 or later. If immediate patching is not possible, it is recommended to disable debug mode in Laravel applications. CISA has mandated federal agencies to apply vendor mitigations or discontinue product use if mitigations are unavailable (NVD).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published January 12, 2021

Severity CRITICAL

CNA Score 9.8

High-profile Vulnerability Yes

Affected Technologies

PHP
Laravel

Has Public Exploit Yes

Has CISA KEV Exploit Yes

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 99.9

Exploitation Probability (EPSS) 94.3

Affected packages and libraries

facade/ignition
cpe:2.3:a:laravel:laravel

Sources

GitHub Advisory Database
- Composer Severity CRITICALHas FixAdded at: Nov 23, 2021
PHP Security Advisories Database
- Composer Has FixAdded at: Nov 23, 2021
NVD
- Linux Severity CRITICALHas FixAdded at: Jun 16, 2025
- Windows Severity CRITICALHas FixAdded at: Jun 16, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-59943	HIGH	8.1	PHP	thorsten/phpmyfaq	No	Yes	Oct 03, 2025
GHSA-w22c-pw5m-482x	LOW	3.3	PHP	auth0/wordpress	No	Yes	Oct 01, 2025
GHSA-hjfh-5jmm-xr24	LOW	3.3	PHP	auth0/login	No	Yes	Oct 01, 2025
GHSA-7jp2-5h22-m432	LOW	3.3	PHP	auth0/symfony	No	Yes	Oct 01, 2025
CVE-2025-58769	LOW	3.3	PHP	auth0/auth0-php	No	Yes	Oct 01, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-3129: PHP vulnerability analysis and mitigation