KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2021-3129

PUBLISHED

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure...

Exploited in the wild Used in malware Remote Low complexity No user interaction
Vendor
Facade
Product
Ignition
Published
Jan 12, 2021
EPSS

Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

cisa malware ransomware nuclei_scanner metasploit

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2023-09-18 00:00:00 UTC · Source

Used in malware

Recorded 2023-09-18 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Sep 18, 2023

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/php/ignition_laravel_debug_rce.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-3129.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

ignition_laravel_debug_rce

metasploit · Created Unknown

Metasploit module for CVE-2021-3129

0x0d3ad/CVE-2021-3129

github · Created 2024-09-29 05:09:41 UTC · 4 stars

CVE-2021-3129 (Laravel Ignition RCE Exploit)

Axianke/CVE-2021-3129

github · Created 2024-01-15 07:12:07 UTC · 5 stars

CVE-2021-3129

wmasday/CVE-2021-3129

github · Created 2023-07-27 12:14:01 UTC · 2 stars

CVE-2021-3129 | Laravel Debug Mode Vulnerability

ajisai-babu/CVE-2021-3129-exp

github · Created 2023-03-04 17:04:38 UTC · 6 stars

Laravel Debug mode RCE漏洞(CVE-2021-3129)poc / exp

0nion1/CVE-2021-3129

github · Created 2022-10-11 08:53:05 UTC · 6 stars

CVE-2021-3129-Laravel Debug mode

shadowabi/Laravel-CVE-2021-3129

github · Created 2022-06-04 10:58:47 UTC · 5 stars

CVE-2021-3129 POC

joshuavanderpoll/CVE-2021-3129

github · Created 2022-04-16 17:22:55 UTC · 104 stars

Laravel RCE Exploit Script - CVE-2021-3129

cuongtop4598/CVE-2021-3129-Script

github · Created 2022-04-08 06:34:17 UTC · 8 stars

Add revert shell

knqyf263/CVE-2021-3129

github · Created 2021-10-01 09:09:38 UTC · 13 stars

PoC for CVE-2021-3129 (Laravel)

idea-oss/laravel-CVE-2021-3129-EXP

github · Created 2021-07-22 07:35:04 UTC · 1 stars

Y0s9/CVE-2021-3129

github · Created 2021-04-11 05:47:43 UTC · 0 stars

CVE-2021-3129-Laravel Debug mode 远程代码执行漏洞

zhzyker/CVE-2021-3129

github · Created 2021-02-18 05:42:13 UTC · 153 stars

Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)

FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129

github · Created 2021-02-14 09:24:07 UTC · 2 stars

nth347/CVE-2021-3129_exploit

github · Created 2021-01-27 10:16:35 UTC · 65 stars

Exploit for CVE-2021-3129

crisprss/Laravel_CVE-2021-3129_EXP

github · Created 2021-01-27 05:44:52 UTC · 17 stars

SecPros-Team/laravel-CVE-2021-3129-EXP

github · Created 2021-01-25 08:42:28 UTC · 72 stars

SNCKER/CVE-2021-3129

github · Created 2021-01-22 05:12:21 UTC · 127 stars

Laravel debug rce

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Detected by Nuclei

  • Detected by Metasploit