CVE-2021-43617
Description
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Laravel Framework through 8.70.2 fails to block .phar file uploads, enabling potential RCE on Debian-based systems.
Vulnerability
The Laravel Framework up to version 8.70.2 contains an incomplete file validation check in Illuminate/Validation/Concerns/ValidatesAttributes.php [1]. The validation logic does not include .phar files in its blocklist for executable PHP content. On Debian-based systems, .phar files are handled as application/x-httpd-php, allowing them to be executed as PHP if uploaded [1]. This bypasses the intended restriction that aims to prevent arbitrary PHP code execution through file uploads.
Exploitation
An attacker with the ability to upload files to a Laravel application (e.g., via a user profile picture or document upload feature) can craft a .phar file containing malicious PHP code. The attacker must not be filtered by any additional application-level checks. The upload is validated by the framework's built-in validation rules, which reject .php, .phtml, .php3, .php4, .php5, .php7, .pht, and .phps files, but not .phar. On a Debian-based server, the uploaded .phar file is interpreted as a PHP script when accessed via the web, leading to code execution [1].
Impact
Successful exploitation allows an attacker to achieve remote code execution (RCE) with the privileges of the web server user [1]. This can lead to full compromise of the application and server, including data theft, defacement, or use as a pivot point for further attacks. The confidentiality, integrity, and availability of the system are all at risk.
Mitigation
Laravel released a fix in version 8.70.3 [1]. Users should upgrade to this version or later. The patch adds .phar to the list of blocked file extensions in the validation logic. If upgrading is not immediately possible, developers should add custom validation rules to explicitly reject .phar files, or configure the web server to not execute .phar files as PHP. This CVE is not related to any third-party application code [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/frameworkPackagist | <= 8.70.2 | — |
Affected products
2- Laravel/Laravel Frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-364w-9g92-3grqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43617ghsaADVISORY
- github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.phpghsaWEB
- github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.phpghsax_refsource_MISCWEB
- hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019bghsaWEB
- salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.confghsax_refsource_MISCWEB
- salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.