What is Laravel Ignition?
Laravel is one of the most popular PHP web application frameworks, used by millions of PHP developers worldwide to build web applications, APIs, and backend services. Ignition is Laravel's built-in debug-mode error page handler — when APP_DEBUG=true is set in the application configuration, Ignition displays detailed error pages with stack traces and provides "solutions" that can fix common errors by writing to log files or configuration. Laravel applications in production should run with APP_DEBUG=false, but many deployed applications — particularly those in development, staging, or poorly configured production environments — run with debug mode enabled. These misconfigured applications are vulnerable to CVE-2021-3129.
Overview
CVE-2021-3129 is an unauthenticated remote code execution vulnerability in Laravel Ignition arising from the interaction of file_get_contents() and file_put_contents() in the debug mode solution handler. Ignition's _ignition/execute-solution endpoint allows the application to write to log files and configuration files as part of its fix-it suggestions. By combining file_put_contents() calls to write a malicious PHAR file and then triggering PHP's PHAR deserialization via a phar:// wrapper in file_get_contents(), an attacker achieves unauthenticated arbitrary code execution on the server. The attack only works when Laravel debug mode is enabled (APP_DEBUG=true). CISA added this to KEV in September 2023 — nearly three years after the patch — reflecting sustained exploitation against misconfigured Laravel applications.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| facade/ignition (Laravel 8+) before 2.5.2 | Yes | 2.5.2 |
| facade/ignition (Laravel 6/7) before 1.16.15 | Yes | 1.16.15 |
Technical Details
The exploit chain uses Ignition's legitimate file manipulation capabilities combined with PHP's PHAR deserialization feature:
- Root cause: The
_ignition/execute-solutionendpoint acceptsMakeViewBladeLogFolderWritableandMakeLogFolderWritablesolution requests that callfile_put_contents()to write to paths specified in the request — no authentication required when debug mode is active - PHAR deserialization: Attackers use
file_put_contents()to write a PHP PHAR archive (which can contain serialized PHP objects in its metadata) to a writable directory. A subsequent call usingfile_get_contents()with aphar://path wrapper triggers PHP to deserialize the PHAR metadata, executing a PHP deserialization gadget chain - Gadget chains: Tools like PHPGGC provide ready-made deserialization gadget chains for common PHP libraries (Monolog, Swift Mailer, Guzzle) that achieve OS command execution during deserialization
- Prerequisite:
APP_DEBUG=truemust be set in the Laravel.envconfiguration — this is the intended development-mode setting but is frequently left enabled in production - No authentication required: The
_ignition/execute-solutionendpoint is accessible without login — it's designed for developer use, not production
Discovery
Discovered by security researchers including the Ambionics team, who published a detailed technical analysis of the PHAR deserialization technique in January 2021. The vulnerability highlights the risk of debug-mode features accessible in production environments.
Exploitation Context
The 2.5-year gap between patch and CISA KEV addition reflects the long-tail nature of this vulnerability: while easily patchable by upgrading Ignition, thousands of Laravel applications remain deployed with APP_DEBUG=true in production environments. Attackers use automated scanners to identify Laravel applications with debug mode enabled (detectable by the presence of the Ignition error page or specific HTTP headers) and immediately attempt the exploit. Ransomware operators and cryptominer deployers both exploit CVE-2021-3129 for initial server access.
Remediation
- Upgrade
facade/ignitionto version 2.5.2 (Laravel 8+) or 1.16.15 (Laravel 6/7) — runcomposer update facade/ignitionin the application directory - Set
APP_DEBUG=falsein all production environments — this is the most important remediation. Laravel debug mode should never be enabled in production; it exposes sensitive internal data regardless of CVE-2021-3129 - Verify
APP_ENV=productionis set in.env— production mode enforces additional security defaults - Review web server logs for POST requests to
/_ignition/execute-solutionfrom unexpected sources, which may indicate exploitation attempts - Check for unauthorized webshells, cron jobs, or SSH keys added to the server that may indicate prior exploitation
- Audit Laravel application's writable directories (
storage/,bootstrap/cache/) for unauthorized PHAR files
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-3129 |
| Vendor / Product | Laravel — Ignition |
| NVD Published | 2021-01-12 |
| NVD Last Modified | 2025-11-10 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2023-09-18 |
| CISA KEV Deadline | 2023-10-09 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-01-12 | CVE published; Ignition 2.5.2 released patching CVE-2021-3129 |
| 2021-01 | Ambionics publishes technical analysis of Laravel Ignition RCE technique |
| 2021-01 | Public exploit code published for CVE-2021-3129; exploitation begins against Laravel applications in debug mode |
| 2023-09-18 | Added to CISA Known Exploited Vulnerabilities catalog — 2.5 years after patch, reflecting sustained exploitation |
| 2023-10-09 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Ignition 2.5.2 Release — CVE-2021-3129 Fix | Vendor Advisory |
| Ambionics — Laravel Debug Mode RCE | Security Research |
| NVD — CVE-2021-3129 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |