Login Sign Up

CVE-2021-21263

7.2 HIGH
SQL Injection

📋 TL;DR

CVE-2021-21263 is a query binding vulnerability in Laravel and illuminate/database packages where unexpected array inputs can manipulate SQL queries. This affects Laravel applications that don't properly validate or cast user input before passing it to query builders. Attackers could potentially cause queries to return unexpected results or no results at all.

💻 Affected Systems

Products:
  • Laravel
  • illuminate/database
Versions: Laravel < 6.20.11, < 7.30.2, < 8.22.1; illuminate/database < 6.20.11, < 7.30.2, < 8.22.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires user input to be passed to query builder without proper validation/type casting.

📦 What is this software?

Laravel by Laravel

View all CVEs affecting Laravel →

Laravel by Laravel

View all CVEs affecting Laravel →

Laravel by Laravel

View all CVEs affecting Laravel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Data manipulation or unauthorized data access through SQL query manipulation, potentially leading to data leakage or integrity issues.

🟠

Likely Case

Application errors, unexpected query behavior, or denial of service through malformed queries.

🟢

If Mitigated

No impact if proper input validation and type casting are implemented.

🌐 Internet-Facing: HIGH - Web applications accepting user input are directly exposed.
🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable if accepting user input.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific application logic and lack of input validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Laravel 6.20.11, 7.30.2, 8.22.1 or later

Vendor Advisory: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x

Restart Required: No

Instructions:

1. Update Laravel via composer: composer update laravel/framework 2. Update illuminate/database if used separately: composer update illuminate/database 3. Verify version matches patched releases

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation and type casting before passing user input to query builders.

🧯 If You Can't Patch

  • Implement strict input validation and type casting for all user inputs passed to database queries
  • Use parameterized queries and avoid passing raw user input directly to query builder methods

🔍 How to Verify

Check if Vulnerable:

Check Laravel version in composer.json or via php artisan --version

Check Version:

php artisan --version

Verify Fix Applied:

Verify Laravel version is 6.20.11+, 7.30.2+, or 8.22.1+

📡 Detection & Monitoring

Log Indicators:

  • Unexpected database query errors
  • Queries with unusual number of bindings
  • Application errors related to query execution

Network Indicators:

  • HTTP requests with array parameters where scalar values expected

SIEM Query:

web_requests WHERE parameters CONTAINS '[]' OR parameters MATCHES '.*\[.*\].*'

📊 Metadata

CVE ID: CVE-2021-21263
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-74
Published: January 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21263, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)