{"id":"CVE-2017-16894","details":"In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.","modified":"2026-04-10T03:57:53.276352Z","published":"2017-11-20T01:29:00.227Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html"},{"type":"WEB","url":"https://twitter.com/finnwea/status/967709791442341888"},{"type":"ADVISORY","url":"http://whiteboyz.xyz/laravel-env-file-vuln.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/laravel/framework","events":[{"introduced":"0"},{"last_affected":"6321069a75723d88103526903d3192f0b231544a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.5.21"}]}}],"versions":["v4.0.0","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.1.0","v5.5.0","v5.5.1","v5.5.10","v5.5.12","v5.5.13","v5.5.14","v5.5.15","v5.5.16","v5.5.17","v5.5.18","v5.5.19","v5.5.2","v5.5.20","v5.5.21","v5.5.3","v5.5.4","v5.5.5","v5.5.6","v5.5.7","v5.5.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16894.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}