Critical severityCISA KEVNVD Advisory· Published Jan 12, 2021· Updated Oct 21, 2025

CVE-2021-3129

Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
facade/ignitionPackagist	>= 2.5.0, < 2.5.2	2.5.2
facade/ignitionPackagist	>= 2.0.0, < 2.4.2	2.4.2
facade/ignitionPackagist	>= 1.7.0, < 1.16.14	1.16.14
facade/ignitionPackagist	< 1.6.15	1.6.15

Affected products

Ignition/Ignitiondescription

Patches

11ffca14abd2

Fix MakeViewVariableOptionalSolution to disallow stream wrappers and files that do not end in .blade.php

https://github.com/facade/ignitionAnas MirzaFeb 18, 2021via ghsa

commit

1 file changed · +18 −0

src/Solutions/MakeViewVariableOptionalSolution.php+18 −0 modified

@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -70,8 +71,25 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (!Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+
+        if (!Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (!$this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4qwp-7c67-jmccghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3129ghsaADVISORY
packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
github.com/FriendsOfPHP/security-advisories/blob/master/facade/ignition/CVE-2021-3129.yamlghsaWEB
github.com/facade/ignition/commit/11ffca14abd22db779d90b12e193f8000f6d184bghsaWEB
github.com/facade/ignition/pull/334ghsax_refsource_MISCWEB
www.ambionics.io/blog/laravel-debug-rceghsax_refsource_MISCWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.075
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.060