CVE-2021-45040 – CVE-2021-45040 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2021-45040?

CVE-2021-45040 has a CVSS score of 9.8 (CRITICAL). CVE-2021-45040 is an unrestricted file upload vulnerability in Spatie's Laravel Media Library Pro that allows remote attackers to upload executable files via the uploads route. This affects Laravel applications using the media-library-pro library, potentially leading to remote code execution. The vulnerability exists in both the 1.x and 2.x branches of the library.

📋 TL;DR

CVE-2021-45040 is an unrestricted file upload vulnerability in Spatie's Laravel Media Library Pro that allows remote attackers to upload executable files via the uploads route. This affects Laravel applications using the media-library-pro library, potentially leading to remote code execution. The vulnerability exists in both the 1.x and 2.x branches of the library.

💻 Affected Systems

Products:

Spatie Laravel Media Library Pro

Versions: 1.x through 1.17.10 and 2.x through 2.1.6

Operating Systems: All operating systems running Laravel with affected library

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Laravel applications using the media-library-pro library with default configuration. The vulnerability is in the upload processing functionality.

📦 What is this software?

Laravel Media Library by Spatie

View all CVEs affecting Laravel Media Library →

Laravel Media Library by Spatie

View all CVEs affecting Laravel Media Library →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Malicious file upload leading to web shell deployment, data exfiltration, or server takeover.

🟢

If Mitigated

Limited impact with proper file validation and execution restrictions in place.

🌐 Internet-Facing: HIGH - The uploads route is typically internet-accessible, allowing unauthenticated attackers to exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal users could exploit this if they have access to the upload functionality.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can simply POST executable files to the upload endpoint. Public proof-of-concept code exists demonstrating the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.17.11 for 1.x branch, 2.1.7 for 2.x branch

Vendor Advisory: https://spatie.be/docs/laravel-medialibrary/v9/handling-uploads-with-media-library-pro/processing-uploads-on-the-server

Restart Required: No

Instructions:

1. Update composer.json to require spatie/laravel-medialibrary-pro version 1.17.11 or higher for 1.x, or 2.1.7 or higher for 2.x. 2. Run 'composer update spatie/laravel-medialibrary-pro'. 3. Clear Laravel cache with 'php artisan cache:clear'.

🔧 Temporary Workarounds

Implement File Type Validation

all

Add server-side validation to reject executable file types before processing uploads.

Implement validation in your upload controller to check file extensions and MIME types

Restrict Upload Directory Permissions

linux

Set upload directory permissions to prevent execution of uploaded files.

chmod 644 /path/to/upload/directory/*
chmod 755 /path/to/upload/directory/

🧯 If You Can't Patch

Implement strict file type validation in application code to reject all executable file extensions
Use web application firewall (WAF) rules to block uploads of executable file types

🔍 How to Verify

Check if Vulnerable:

Check composer.lock for spatie/laravel-medialibrary-pro version. If version is 1.17.10 or lower (1.x) or 2.1.6 or lower (2.x), the system is vulnerable.

Check Version:

grep -A2 -B2 'spatie/laravel-medialibrary-pro' composer.lock

Verify Fix Applied:

Verify composer.lock shows spatie/laravel-medialibrary-pro version 1.17.11+ or 2.1.7+. Test upload functionality with executable files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple failed upload attempts with executable extensions
Successful uploads of .php, .exe, .sh, or other executable files
Unusual POST requests to upload endpoints

Network Indicators:

HTTP POST requests to /uploads or similar endpoints with executable file content
Unusual outbound connections from web server after file uploads

SIEM Query:

source="web_logs" AND (uri_path="/uploads" OR uri_path LIKE "%/upload%") AND (file_extension="php" OR file_extension="exe" OR file_extension="sh" OR file_extension="py")

📊 Metadata

CVE ID: CVE-2021-45040

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 17, 2022

Last Updated: November 21, 2024

🔗 References

https://cybersecthreat.com/2022/03/14/cve-2021-45040/ Exploit,Mitigation,Third Party Advisory
https://spatie.be/docs/laravel-medialibrary/v9/handling-uploads-with-media-library-pro/processing-uploads-on-the-server Vendor Advisory
https://cybersecthreat.com/2022/03/14/cve-2021-45040/ Exploit,Mitigation,Third Party Advisory
https://spatie.be/docs/laravel-medialibrary/v9/handling-uploads-with-media-library-pro/processing-uploads-on-the-server Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45040, you might also want to check these: