Ambionics Security team Found a remote code execution vulnerability in the Laravel component. Vulnerability number is CVE-2021-3129.
The vulnerability is due to the fact that in debug mode, certain interfaces of Laravel’s built-in Ignition function do not strictly filter the input data, allowing attackers to use malicious log files to cause phar deserialization attacks, remote code execution, and finally obtain server permissions.
- Laravel < 8.4.3
- Facade ignition < 2.5.2
Latest security patch has been released. It is recommended that affected users upgrade the Laravel framework
Working Exploit Script