High severity7.5NVD Advisory· Published Nov 20, 2017· Updated Jun 17, 2026
CVE-2017-16894
CVE-2017-16894
Description
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=5.5.21
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.