{"id":"CVE-2021-3129","details":"Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.","aliases":["GHSA-4qwp-7c67-jmcc"],"modified":"2026-04-10T04:32:25.845186Z","published":"2021-01-12T15:15:16.453Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129"},{"type":"FIX","url":"https://github.com/facade/ignition/pull/334"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://www.ambionics.io/blog/laravel-debug-rce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facade/ignition","events":[{"introduced":"0"},{"fixed":"08668034beb185fa2ac6f09b1034eaa440952ace"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.2"}]}}],"versions":["1.0.0","1.0.1","1.0.3","1.0.4","1.1.0","1.1.1","1.10.0","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.13.0","1.13.1","1.14.0","1.15.0","1.16.0","1.2.0","1.3.0","1.4.2","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.8.0","1.8.1","1.8.2","1.8.4","1.9.0","1.9.1","1.9.2","2.0.0","2.0.1","2.0.10","2.0.2","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.4.0","2.4.1","2.5.0","2.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3129.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}