Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
CVE-2021-3129
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-09-18), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
January 12, 2021
Last Modified
November 10, 2025
Advisory Details (4)
Auto-updated Jun 1, 2026Known Exploited Vulnerabilities Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129Lexfo's security blog - Laravel <= v8.4.2 debug mode: Remote code execution
https://www.ambionics.io/blog/laravel-debug-rceFix MakeViewVariableOptionalSolution to disallow stream wrappers and files that do not end in .blade.php
Patch available: facade/ignition 2.9.0 (PR #334 merged 2020-11-17)
https://github.com/facade/ignition/pull/334Affected Packages
(1 across 1 ecosystem)
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| facade/ignition | 1.0.0 ... 1.6.9 (41 versions) | 1.6.15 | — |
Data Freshness Timeline
(refreshed 0× in last 7d / 0× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 14:27 UTCEG score recompute
- 2026-07-12 10:50 UTCEG score recompute
- 2026-07-12 07:13 UTCEG score recompute
- 2026-07-12 03:34 UTCEG score recompute
- 2026-07-11 23:55 UTCEG score recompute
- 2026-07-11 20:18 UTCEG score recompute
- 2026-07-11 16:40 UTCEG score recompute
- 2026-07-11 13:03 UTCEG score recompute
- 2026-07-11 09:25 UTCEG score recompute
- 2026-07-11 05:48 UTCEG score recompute
- 2026-07-11 02:11 UTCEG score recompute
- 2026-07-10 22:33 UTCEG score recompute
- 2026-07-10 18:55 UTCEG score recompute
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 15:18 UTCEG score recompute
- 2026-07-10 11:40 UTCEG score recompute
- 2026-07-10 08:02 UTCEG score recompute
- 2026-07-10 04:24 UTCEG score recompute
- 2026-07-10 00:47 UTCEG score recompute
- 2026-07-09 21:10 UTCEG score recompute
- 2026-07-09 17:33 UTCEG score recompute
- 2026-07-09 13:56 UTCEG score recompute
- 2026-07-09 10:18 UTCEG score recompute
- 2026-07-09 06:41 UTCEG score recompute
- 2026-07-09 03:04 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-08 23:25 UTCEG score recompute
- 2026-07-08 19:48 UTCEG score recompute
- 2026-07-08 16:07 UTCEG score recompute
- 2026-07-08 12:30 UTCEG score recompute
- 2026-07-08 08:52 UTCEG score recompute
- 2026-07-08 05:15 UTCEG score recompute
- 2026-07-08 01:37 UTCEG score recompute
- 2026-07-07 22:00 UTCEG score recompute
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 18:23 UTCEG score recompute
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 14:46 UTCEG score recompute
- 2026-07-07 11:07 UTCEG score recompute
- 2026-07-07 07:29 UTCEG score recompute
- 2026-07-07 03:52 UTCEG score recompute
- 2026-07-07 00:15 UTCEG score recompute
- 2026-07-06 20:37 UTCEG score recompute
- 2026-07-06 16:59 UTCEG score recompute
- 2026-07-06 13:22 UTCEG score recompute
- 2026-07-06 09:45 UTCEG score recompute
- 2026-07-06 06:04 UTCEG score recompute
- 2026-07-06 02:25 UTCEG score recompute
- 2026-07-05 22:47 UTCEG score recompute
- 2026-07-05 19:10 UTCEG score recompute
- 2026-07-05 15:33 UTCEG score recompute
- 2026-07-05 11:55 UTCEG score recompute
- 2026-07-05 08:18 UTCEG score recompute
- 2026-07-05 04:40 UTCEG score recompute
- 2026-07-05 01:02 UTCEG score recompute
- 2026-07-04 21:23 UTCEG score recompute
- 2026-07-04 17:46 UTCEG score recompute
- 2026-07-04 14:08 UTCEG score recompute
- 2026-07-04 10:31 UTCEG score recompute
- 2026-07-04 06:51 UTCEG score recompute
- 2026-07-04 03:11 UTCEG score recompute
- 2026-07-03 23:33 UTCEG score recompute
- 2026-07-03 19:55 UTCEG score recompute
- 2026-07-03 16:18 UTCEG score recompute
- 2026-07-03 12:41 UTCEG score recompute
- 2026-07-03 09:01 UTCEG score recompute
- 2026-07-03 05:24 UTCEG score recompute
- 2026-07-03 01:45 UTCEG score recompute
- 2026-07-02 22:08 UTCEG score recompute
- 2026-07-02 18:31 UTCEG score recompute
- 2026-07-02 14:55 UTCEG score recompute
- 2026-07-02 11:17 UTCEG score recompute
- 2026-07-02 07:40 UTCEG score recompute
- 2026-07-02 04:04 UTCEG score recompute
- 2026-07-02 00:26 UTCEG score recompute
- 2026-07-01 20:48 UTCEG score recompute
- 2026-07-01 19:16 UTCCISA KEV update
- 2026-07-01 17:12 UTCEG score recompute
- 2026-07-01 13:34 UTCEG score recompute
- 2026-07-01 09:57 UTCEG score recompute
- 2026-07-01 06:20 UTCEG score recompute
- 2026-07-01 02:43 UTCEG score recompute
- 2026-06-30 23:06 UTCEG score recompute
- 2026-06-30 19:29 UTCEG score recompute
- 2026-06-30 15:52 UTCEG score recompute
- 2026-06-30 12:15 UTCEG score recompute
- 2026-06-30 08:37 UTCEG score recompute
- 2026-06-30 04:58 UTCEG score recompute
- 2026-06-30 01:21 UTCEG score recompute
- 2026-06-29 21:44 UTCEG score recompute
- 2026-06-29 19:12 UTCCISA KEV update
- 2026-06-29 18:07 UTCEG score recompute
- 2026-06-29 14:26 UTCEG score recompute
- 2026-06-29 10:49 UTCEG score recompute
- 2026-06-29 07:12 UTCEG score recompute
- 2026-06-29 03:33 UTCEG score recompute
- 2026-06-28 23:55 UTCEG score recompute
- 2026-06-28 20:18 UTCEG score recompute
- 2026-06-28 16:41 UTCEG score recompute
- 2026-06-28 13:03 UTCEG score recompute
- 2026-06-28 09:26 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoC0x0d3ad/CVE-2021-3129First seen Sep 29, 2024
CVE-2021-3129 (Laravel Ignition RCE Exploit)
Open source ↗ - GitHub PoCajisai-babu/CVE-2021-3129-expFirst seen Mar 4, 2023
Laravel Debug mode RCE漏洞(CVE-2021-3129)poc / exp
Open source ↗ - GitHub PoCjoshuavanderpoll/CVE-2021-3129First seen Apr 16, 2022
Laravel RCE Exploit PoC - CVE-2021-3129 (user-friendly with automatic log path detection)
Open source ↗ - GitHub PoCknqyf263/CVE-2021-3129First seen Oct 1, 2021
PoC for CVE-2021-3129 (Laravel)
Open source ↗ - GitHub PoCzhzyker/CVE-2021-3129First seen Feb 18, 2021
Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)
Open source ↗ - GitHub PoCnth347/CVE-2021-3129_exploitFirst seen Jan 27, 2021
Exploit for CVE-2021-3129
Open source ↗ - Open source ↗GitHub PoCcrisprss/Laravel_CVE-2021-3129_EXPFirst seen Jan 27, 2021
- Open source ↗GitHub PoCSecPros-Team/laravel-CVE-2021-3129-EXPFirst seen Jan 25, 2021
- GitHub PoCSNCKER/CVE-2021-3129First seen Jan 22, 2021
Laravel debug rce
Open source ↗ - Exploit-DBEDB-49424First seen Jan 14, 2021
Laravel 8.4.2 debug mode - Remote code execution
Open source ↗
Frequently asked(6)
What is CVE-2021-3129?
When was CVE-2021-3129 disclosed?
Is CVE-2021-3129 actively exploited?
What is the CVSS score of CVE-2021-3129?
Which products are affected by CVE-2021-3129?
How do I remediate CVE-2021-3129?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-3129
Is Your Infrastructure Affected by CVE-2021-3129?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.