CVE-2021-43617 – This vulnerability allows attackers to upload m... (How to Fix)

Q: What is the severity of CVE-2021-43617?

CVE-2021-43617 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to upload malicious .phar files that execute PHP code on Laravel applications running on Debian-based systems. It affects Laravel Framework versions through 8.70.2 where file upload validation is used. The issue occurs because the validation component doesn't check for .phar files, which Debian systems treat as executable PHP content.

📋 TL;DR

This vulnerability allows attackers to upload malicious .phar files that execute PHP code on Laravel applications running on Debian-based systems. It affects Laravel Framework versions through 8.70.2 where file upload validation is used. The issue occurs because the validation component doesn't check for .phar files, which Debian systems treat as executable PHP content.

💻 Affected Systems

Products:

Laravel Framework

Versions: All versions through 8.70.2

Operating Systems: Debian-based Linux distributions (Ubuntu, Debian, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Laravel's file upload validation. Requires Debian-based OS where .phar files are configured as application/x-httpd-php.

📦 What is this software?

Framework by Laravel

View all CVEs affecting Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, and further exploitation of the server.

🟢

If Mitigated

Upload attempts blocked at validation layer with proper logging and alerting.

🌐 Internet-Facing: HIGH - File upload functionality is commonly exposed to internet users.

🏢 Internal Only: MEDIUM - Internal users could still exploit if they have upload access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires file upload functionality accessible to attackers. The vulnerability is well-documented with public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Laravel 8.73.0 and later

Vendor Advisory: https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-6q8c

Restart Required: No

Instructions:

1. Update Laravel to version 8.73.0 or later using composer update laravel/framework. 2. Verify the update completed successfully. 3. Test file upload functionality to ensure it still works as expected.

🔧 Temporary Workarounds

Custom Validation Rule

all

Add custom validation to reject .phar files in file upload validation rules

In your validation rules, add: 'uploaded_file' => 'required|file|mimes:jpg,jpeg,png,gif|max:2048|not_in:.phar'

Web Server Configuration

linux

Configure web server to not execute .phar files as PHP

For Apache: Add 'RemoveHandler .phar' to .htaccess or virtual host config
For Nginx: Add location ~ \.phar$ { deny all; } to server block

🧯 If You Can't Patch

Implement strict file type validation in application code to reject all unexpected extensions
Store uploaded files outside web root or in cloud storage with no execution permissions

🔍 How to Verify

Check if Vulnerable:

Check Laravel version with: php artisan --version. If version is 8.70.2 or earlier, check if using file upload validation.

Check Version:

php artisan --version

Verify Fix Applied:

After update, verify version is 8.73.0 or later. Test uploading .phar file - it should be rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple failed upload attempts with .phar extension
Successful upload of .phar files to upload directories
Unusual PHP execution from upload directories

Network Indicators:

HTTP POST requests with .phar file uploads
Subsequent requests to uploaded .phar files

SIEM Query:

source="web_server_logs" AND (uri="*.phar" OR user_agent CONTAINS "phar" OR request_body CONTAINS ".phar")

📊 Metadata

CVE ID: CVE-2021-43617

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: November 14, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333 Third Party Advisory
https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6 Patch,Third Party Advisory
https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8 Patch,Third Party Advisory
https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333 Third Party Advisory
https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6 Patch,Third Party Advisory
https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43617, you might also want to check these: