High severityNVD Advisory· Published Dec 20, 2021· Updated Aug 4, 2024

CVE-2020-19316

Description

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OS command injection in Laravel's Filesystem::link() on Windows allows unauthenticated remote attackers to execute arbitrary commands.

Vulnerability

The link() method in Illuminate\Filesystem\Filesystem.php (Laravel before 5.8.17) does not sanitize user-supplied $target and $link parameters when building a Windows mklink command. This allows an attacker to inject arbitrary OS commands via crafted inputs [1][2]. Affected versions: all Laravel versions before 5.8.17.

Exploitation

An attacker must have the ability to control the $target or $link parameters passed to the Filesystem::link() method. On Windows, the link() method uses exec() with a command string constructed using double quotes around the inputs [4]. Without escaping, an attacker can inject additional commands by including characters like &, |, or backticks. No authentication is required if the method is exposed via routes.

Impact

Successful exploitation allows remote attackers to execute arbitrary OS commands on the Windows server running the Laravel application. This leads to complete compromise of the application server, including data theft, modification, or further lateral movement [1][2].

Mitigation

The fix was released in Laravel 5.8.17, which uses escapeshellarg() on both parameters [4]. Users should upgrade to 5.8.17 or later. If upgrading is not possible, ensure that user input is never directly passed to Filesystem::link() or apply input validation to disallow special shell characters. The vulnerability is not listed on CISA's KEV.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
laravel/frameworkPackagist	< 5.8.17	5.8.17

Affected products

Laravel/Laravel Frameworkdescription
ghsa-coords
pkg:composer/laravel/framework
Range: < 5.8.17

Patches

44c3feb60494

use escapeshellarg on windows symlink

https://github.com/laravel/frameworkTaylor OtwellMay 14, 2019via ghsa

commit

1 file changed · +1 −1

src/Illuminate/Filesystem/Filesystem.php+1 −1 modified

@@ -254,7 +254,7 @@ public function link($target, $link)
 
         $mode = $this->isDirectory($target) ? 'J' : 'H';
 
-        exec("mklink /{$mode} \"{$link}\" \"{$target}\"");
+        exec("mklink /{$mode} ".escapeshellarg($link)." ".escapeshellarg($target));
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w2pm-r78h-4m7vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-19316ghsaADVISORY
www.netbytesec.com/advisories/OSCommandInjectionInLaravelFrameworkghsaWEB
www.netbytesec.com/advisories/OSCommandInjectionInLaravelFramework/mitrex_refsource_MISC
github.com/laravel/framework/commit/44c3feb604944599ad1c782a9942981c3991fa31ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000