cbcvebase.
CVE-2021-43617
published 2021-11-14

CVE-2021-43617: Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.81%
97.1th percentile
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianphp-laravel-framework< php-laravel-framework 6.20.14+dfsg-3 (bookworm)php-laravel-framework 6.20.14+dfsg-3 (bookworm)
laravelframework<= 8.70.2
laravelframework0 – 8.70.2

Detection & IOCsextracted from sources · hover to see the quote

pathIlluminate/Validation/Concerns/ValidatesAttributes.php
filename.phar
  • Flag file uploads where the filename extension is .phar but the upload passes Laravel's image/file validation — these files are executed as PHP (application/x-httpd-php) on Debian-based systems and represent a bypass of the validator.
  • Detect uploaded files that begin with the JPEG magic bytes FF D8 FF E0 but carry a .phar (or other executable) extension — this is the documented bypass technique to smuggle executable content past image-upload validation.
  • Monitor web server logs for POST requests delivering files with a .phar extension to any upload endpoint, particularly on Debian-based hosts running Laravel ≤ 8.70.2.
  • ·The .phar execution risk is specific to Debian-based systems where the web server maps .phar to application/x-httpd-php; non-Debian deployments may not execute uploaded .phar files as PHP.
  • ·This CVE is scoped to the Laravel Framework's own validator (ValidatesAttributes.php) and is explicitly unrelated to bugs in user-written application code for image upload.
  • ·Debian package fixes are available: bookworm/bullseye/sid/trixie/forky all resolved in package version 6.20.14+dfsg-3 (or 6.20.14+dfsg-2+deb11u1 for bullseye); ensure the patched package is deployed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.