cbcvebase.
CVE-2017-16894
published 2017-11-20

CVE-2017-16894: In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env…

PriorityP180high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.03%
99.7th percentile
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianphp-laravel-framework
laravellaravel<= 5.5.21

Detection & IOCsextracted from sources · hover to see the quote

path/.env
path/index.php
otherX-XSRF-TOKEN: <serialized-payload>
pathsrc/Illuminate/Foundation/Console/KeyGenerateCommand.php
sigma
GET /.env HTTP/1.x -> response body contains APP_NAME= AND APP_DEBUG= AND DB_PASSWORD=
  • Monitor HTTP GET requests to the path /.env; a 200 response with Content-Type: application/octet-stream and body containing APP_NAME=, APP_DEBUG=, and DB_PASSWORD= is a confirmed exploitation indicator.
  • Detect chained exploitation: after .env disclosure, watch for HTTP POST requests to /index.php carrying a non-standard or oversized X-XSRF-TOKEN header, which is the follow-on RCE vector (CVE-2018-15133).
  • The exploit checks for XSRF-TOKEN or laravel_session cookies in the response to fingerprint a Laravel target before attempting exploitation.
  • APP_KEY extraction from .env: look for the regex pattern APP_KEY=base64:(.*) in HTTP response bodies to identify successful credential harvesting.
  • Use Shodan/FOFA queries for Laravel-Framework or laravel-framework to identify exposed instances for proactive asset discovery.
  • GreyNoise reclassified ENV Crawler IPs as malicious (over 11,000 IPs at time of publication); blocking GreyNoise ENV Crawler tag will suppress opportunistic .env harvesting bots.
  • ·The .env filename is not exclusive to Laravel; detections triggering on /.env requests may fire on other frameworks (e.g., Symfony, Node.js dotenv) that also use this file convention.
  • ·The chained RCE exploit (CVE-2018-15133) targets Laravel 5.5.40 and 5.6.x ≤ 5.6.29, not the same version range as CVE-2017-16894 (≤ 5.5.21); scope them separately in detection rules.
  • ·The APP_KEY can also leak via Laravel framework error pages (DecryptException or MethodNotAllowedHttpException), not only via the .env file; detection should cover both vectors.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.