CVE-2021-3129 is an unauthenticated remote code execution vulnerability in Ignition, the error page and debugging component used by Laravel and other PHP applications. Affected versions of Ignition before 2.5.2 insecurely use file_get_contents() and file_put_contents() in a way that can be abused by a remote attacker to achieve code execution. In Laravel deployments, the issue is exploitable when the application is running with debug mode enabled, including Laravel versions before 8.4.2 that expose the vulnerable Ignition functionality in production environments. The flaw is commonly characterized as an exposed debug-interface RCE in which attacker-controlled input reaches unsafe file handling paths, ultimately enabling arbitrary code execution on the server.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
16 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository is a small standalone Python proof-of-concept plus Dockerized lab for CVE-2021-3129. It contains 5 files: a Python exploit script, a Dockerfile that builds a deliberately vulnerable Laravel-like environment, a README with usage instructions, and standard metadata files. The main exploit logic is in cve_2021_3129_exploit.py. The script uses requests.Session to probe two web endpoints, /_ide_helper.php and /artisan, treating HTTP 200 or 500 as signs of a potentially vulnerable debug-enabled target. If a candidate endpoint is found, it sends a GET request with a subject parameter containing a phar:// wrapper and path traversal sequence intended to coerce local file access, specifically trying to reach /etc/passwd via Laravel log paths. Successful exploitation is judged heuristically by non-trivial response length, after which the script prints a confirmation banner and remediation advice. The Dockerfile is not part of the exploit itself but is important to the repository purpose: it creates a PHP 8.0 Apache container with a synthetic _ide_helper.php endpoint and a storage/logs/laravel.log file seeded with mock secrets, allowing safe local demonstration. This makes the repository both an exploit PoC and a training lab. The exploit capability is limited to unauthenticated detection and arbitrary file-read style disclosure; it does not implement a full remote code execution chain, shell delivery, persistence, or post-exploitation automation. Because it includes a hardcoded payload and basic workflow rather than a flexible framework, the maturity is best classified as OPERATIONAL.
This repository is a real Python exploit for CVE-2021-3129, a Laravel Ignition remote code execution vulnerability. The repository is small and centered around a single main script, CVE-2021-3129.py, with supporting documentation, dependency metadata, a Dockerfile for building a vulnerable Laravel lab, and a GitHub Actions workflow that automatically tests exploitation against a local container. The main exploit script is operational rather than a simple detector. It accepts a target host, normalizes and validates the URL, supports optional random user agents, and allows the operator to choose from many phpggc gadget chains covering Laravel and Monolog RCE variants. The script is designed to achieve arbitrary command execution via an operator-supplied --exec argument. Based on the visible constants and README, it uses phpggc-generated serialized payloads and PHP stream-filter tricks to stage and trigger execution through the Laravel Ignition debug functionality. The README explicitly states exploitation requires APP_DEBUG=true in the target .env configuration. Notable exploit capabilities include: selecting multiple Laravel/Monolog gadget chains, using a local php executable and phpggc helper, caching phpggc version data, optional Cloudflare-related handling via the cloudscraper dependency, and support for patch-oriented modes documented in the README (env/index/private) that appear intended to disable or restrict the vulnerable endpoint after access is obtained. Repository structure: - CVE-2021-3129.py: primary exploit implementation and CLI entry point. - Dockerfile: builds a vulnerable lab using php:7.3.31-alpine3.14, Laravel 8.4.2, and facade/ignition 2.5.1. - .github/workflows/docker-test.yml: CI workflow that builds the lab and runs the exploit against 127.0.0.1:8000 using chain laravel/rce12 and command pwd. - README.md / SECURITY.md / CONTRIBUTING.md: usage, safety, and contribution docs. - requirements.txt: Python dependencies including requests, cloudscraper, packaging, and requests-toolbelt. Fingerprintable targets and endpoints include the vulnerable Laravel path /_ignition/execute-solution, local phpggc paths, PHP filter wrapper strings used in payload delivery, and the GitHub API endpoint used to check phpggc updates. Overall, this is a focused, single-script web exploit repository with a reproducible Docker-based proof-of-concept environment.
This repository is a real exploit repo centered on CVE-2021-3129, a Laravel Ignition remote code execution issue. The main exploit is CVE-2021-3129.py, a Python script that automates the full attack chain against a vulnerable Laravel application. It sends crafted POST requests to the Laravel Ignition endpoint /_ignition/execute-solution, first clearing the application log, then injecting a base64-encoded PHAR payload into the log, converting the log contents into a PHAR using php://filter write chains, and finally triggering deserialization via a phar:// wrapper. The payload is generated locally by invoking the bundled phpggc utility with the laravel/rce12 gadget chain and system(<cmd>), enabling arbitrary command execution such as whoami or id. Repository structure shows this is effectively a standalone exploit bundled with a local copy of phpggc rather than a Metasploit/Nuclei module. The top-level files are the Python exploit, a README, a Dockerfile, and the phpggc launcher. Most of the repository consists of phpggc internals under lib/ and many gadget chains under gadgetchains/, especially Laravel and Monolog RCE/file-write/file-delete chains. Those PHP files are not directly network-active; they support local generation of serialized/PHAR payloads. The Dockerfile prepares a PHP environment for running phpggc. The README documents usage and confirms intended exploitation flow. Main exploit capabilities: remote arbitrary command execution on vulnerable Laravel targets; log poisoning; PHAR payload generation; PHAR deserialization trigger; optional custom log path selection. Fingerprintable target artifacts include the /_ignition/execute-solution endpoint, the Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution class name in the JSON body, the default Laravel log path ../storage/logs/laravel.log, php://filter wrapper usage, and phar:// access to the poisoned log. Overall, this is an operational exploit with a basic but customizable command payload, not merely a detector or documentation-only repository.
This repository contains a single Python exploit script (exp.py) targeting the Laravel Ignition debug handler vulnerability (CVE-2021-3129). The exploit automates the process of achieving remote code execution (RCE) by leveraging multiple PHPGGC gadget chains (Laravel/RCE1-7, Monolog/RCE1-4). The script constructs serialized PHP payloads using PHPGGC, writes them to the Laravel log file, and triggers deserialization via the /_ignition/execute-solution endpoint. The exploit checks for vulnerability, clears the log, injects the payload, and attempts to execute arbitrary commands (e.g., 'id') on the server. The main fingerprintable endpoints are the /_ignition/execute-solution HTTP endpoint and the ../storage/logs/laravel.log file. The script is operational and provides RCE if the target is vulnerable.
This repository contains a Python exploit script (CVE-2021-3129.py) and a README.md. The script targets the Laravel PHP framework (<= 8.4.2) when the 'APP_DEBUG' setting is enabled, exploiting CVE-2021-3129 to achieve remote code execution (RCE). The exploit is interactive, allowing the user to execute arbitrary system commands on the target server, clear or write to the Laravel log file, and attempt to patch the vulnerability. The script validates the target URL, supports multiple exploitation chains, and provides user guidance for available commands. The README.md briefly describes the exploit's purpose and requirements. No hardcoded endpoints are present; the target is specified at runtime. The exploit is operational and provides real RCE capabilities against vulnerable Laravel installations.
This repository is a Proof-of-Concept (PoC) exploit for CVE-2021-3129, a remote code execution vulnerability in Laravel applications using the Ignition debug handler (specifically version 2.5.1). The repository contains a Docker-based environment with two main components: a 'victim' service running a vulnerable Laravel 8.4.2 application with Ignition 2.5.1, and an 'attacker' service containing the exploit script (exploit.py). The exploit leverages PHPGGC to generate a malicious PHP object payload using the monolog/rce1 gadget chain, which is then injected into the Laravel log file and deserialized via the vulnerable endpoint (_ignition/execute-solution). The exploit achieves arbitrary command execution on the victim container, as demonstrated by reading /etc/passwd. The main exploit logic is implemented in Python (attacker/exploit.py), and the environment is orchestrated using Docker Compose. The repository is well-structured for educational and testing purposes, providing a full vulnerable environment and a working exploit.
This repository provides a Python-based exploit for CVE-2021-3129, a Remote Code Execution (RCE) vulnerability affecting Laravel applications with APP_DEBUG enabled. The main exploit script, 'CVE-2021-3129.py', orchestrates the attack by generating serialized PHP payloads (using PHPGGC chains) and injecting them into the Laravel log file. The exploit then triggers the payload via the '/_ignition/execute-solution' HTTP endpoint, resulting in arbitrary command execution on the target server. The script supports multiple exploitation chains for different Laravel and Monolog versions, and can automatically detect the Laravel version and select the appropriate chain. Additional features include clearing logs, writing arbitrary data to logs, and patching the vulnerability by modifying the .env file or index.php. The repository includes a Dockerfile to set up a vulnerable Laravel environment for testing, as well as language files for internationalization. The exploit is operational and provides real RCE capabilities, but also includes options for remediation. The main attack vector is network-based, targeting the '/_ignition/execute-solution' endpoint on Laravel servers with specific misconfigurations.
This repository contains a Python exploit script (CVE-2021-3129.py) and a README.md for CVE-2021-3129, a remote code execution vulnerability in Laravel applications with debug mode enabled. The script can both detect the vulnerability and exploit it to write a PHP webshell ('shell.php') to the target server. The main attack vector is via HTTP requests to the '/_ignition/execute-solution' endpoint, abusing the Ignition package's unsafe deserialization and file operations. The script supports optional proxying and provides clear output on success or failure. The README provides usage instructions, example commands, and legal disclaimers. The exploit is operational, as it provides a working payload (webshell) and automates the full attack chain.
This repository is a full exploit environment and script for CVE-2021-3129, a remote code execution (RCE) vulnerability in Laravel applications with debug mode enabled and the Facade\Ignition package installed. The repository includes a Dockerized vulnerable Laravel environment and a Python exploit script (exploit.py). The exploit works by generating a malicious Phar payload using PHPGGC and injecting it into the Laravel log file. It then triggers deserialization via the /_ignition/execute-solution endpoint, resulting in arbitrary command execution on the server. The exploit script supports multiple Monolog gadget chains for improved reliability. The main endpoints involved are the /_ignition/execute-solution HTTP endpoint and the Laravel log file. The repository is well-structured, with clear separation between the exploit code and the vulnerable application, and is intended for security research and proof-of-concept demonstration.
This repository contains a Python exploit script (laravel-CVE-2021-3129-EXP.py) targeting CVE-2021-3129, a remote code execution vulnerability in Laravel's Ignition debug mode. The exploit works by abusing the /_ignition/execute-solution endpoint to manipulate log files and inject a PHP webshell (fuckyou.php) into the target server. The script automatically detects the target OS (Windows or Linux) and crafts payloads accordingly. Upon successful exploitation, the attacker gains a persistent webshell with a known password ('pass'). The README provides basic usage instructions and an example target URL. The repository is operational and provides a working exploit with a real payload, suitable for post-exploitation access.
This repository is a comprehensive exploit toolkit targeting insecure deserialization vulnerabilities in a wide range of PHP applications and frameworks. The main entry point is 'exp.py', a Python script that automates exploitation of the Laravel Ignition RCE vulnerability (and potentially others) by generating and delivering serialized PHP object payloads (gadget chains) to the vulnerable endpoint '/_ignition/execute-solution'. The repository includes a large collection of PHP gadget chains (under 'gadgetchains/') for various popular PHP libraries and frameworks, such as Laravel, Monolog, CodeIgniter, Doctrine, Drupal, Guzzle, Horde, Laminas, Magento, PHPCSFixer, PHPExcel, Phalcon, Pydio, Slim, Smarty, SwiftMailer, Symfony, TCPDF, ThinkPHP, and WordPress (Dompdf). Each gadget chain enables a specific exploit primitive, such as remote code execution, file write, file delete, SQL injection, SSRF, or information disclosure, depending on the target's installed libraries and versions. The exploit works by: - Generating a serialized PHP object payload using PHPGGC for the selected gadget chain. - Encoding the payload and delivering it via a POST request to the Laravel Ignition endpoint. - Leveraging log file manipulation and deserialization to trigger the exploit and achieve code execution or other effects. The Dockerfile provides an environment with PHP and Python for running the exploit. The toolkit is operational and can be used to exploit real-world targets, provided the target is vulnerable and the correct gadget chain is selected. The structure is modular, allowing for easy addition of new gadget chains for other PHP libraries.
This repository is a comprehensive exploit toolkit for CVE-2021-3129, a critical remote code execution vulnerability in Laravel applications using the Ignition package. The main exploit script, 'CVE-2021-3129.py', is a Python tool that automates the full exploitation chain: it generates a malicious PHAR payload using the included 'phpggc' PHP tool, injects the payload into the Laravel log file via the Ignition endpoint, converts the log file into a PHAR archive using PHP stream filters, and finally triggers deserialization to achieve arbitrary command execution on the server. The repository includes a large collection of PHP gadget chains (under 'gadgetchains/') for Laravel and Monolog, supporting a wide range of Laravel and Monolog versions and exploitation scenarios. The 'lib/' directory contains the core PHPGGC library for generating serialized payloads. The Dockerfile provides an environment for running the tools. Key endpoints and artifacts include the '/_ignition/execute-solution' HTTP endpoint (used to interact with the vulnerable Laravel instance) and the '../storage/logs/laravel.log' file (used for payload injection). The exploit is highly customizable, allowing the attacker to specify any system command to execute on the target. Overall, this repository provides a weaponized, automated exploit for CVE-2021-3129, leveraging advanced PHP deserialization techniques and a robust set of gadget chains for maximum compatibility and effectiveness.
This repository is a comprehensive exploit toolkit for CVE-2021-3129, a critical remote code execution vulnerability in Laravel's Ignition debug mode. The main exploit script (Exp.py) automates the exploitation process by generating serialized PHP object payloads (Phar files) using various gadget chains (provided in the 'gadgetchains/' directory, compatible with phpggc). The script targets the '/_ignition/execute-solution' endpoint of a vulnerable Laravel application, injecting the payload into the application's log file and then triggering deserialization to achieve RCE. The toolkit supports multiple gadget chains for different PHP libraries and frameworks (e.g., Monolog, Laravel, CakePHP, CodeIgniter, Doctrine, Guzzle, etc.), increasing its effectiveness across a range of target environments. The repository includes a Dockerfile for building a PHP environment with phpggc, and the README provides usage instructions. The exploit is operational and can execute arbitrary commands on the target server, provided the necessary conditions are met (vulnerable Laravel version, exposed endpoint, and appropriate PHP configuration).
This repository contains a working exploit for CVE-2021-3129, a remote code execution vulnerability in Laravel Ignition <= 2.5.1. The exploit is implemented in Python (laravel-ignition-rce.py) and leverages the /_ignition/execute-solution/ HTTP endpoint exposed by Laravel applications in debug mode. The attack involves generating a malicious PHAR file (using PHPGGC), writing it into the Laravel log file, and then triggering deserialization via a crafted wrapper. The exploit script automates the process of clearing logs, injecting the payload, converting the log to a PHAR, and executing the payload to achieve arbitrary command execution. The README provides usage instructions and references the original vulnerability research. The main fingerprintable endpoints are the /_ignition/execute-solution/ HTTP path and the log file at /storage/logs/laravel.log. The exploit is operational and requires the attacker to generate a suitable PHAR payload.
This repository contains a Python exploit script (exploit.py) targeting CVE-2021-3129, a remote code execution vulnerability in Laravel applications using the Ignition package (facade/ignition) version 2.5.1. The exploit works by abusing the /_ignition/execute-solution endpoint to manipulate the Laravel log file, inject a serialized PHPGGC gadget chain payload (as a PHAR file), and trigger its deserialization, resulting in arbitrary command execution on the server. The script automates the process of clearing logs, generating the payload (using PHPGGC), injecting it, converting the log to a PHAR, and triggering deserialization. The README provides setup and usage instructions, including example commands. The main fingerprintable endpoints are the /_ignition/execute-solution HTTP endpoint and the ../storage/logs/laravel.log file. The exploit is operational, requiring a specific vulnerable configuration, and provides full RCE capabilities.
This repository contains a Python exploit script (Laravel_CVE-2021-3129_EXP.py) targeting CVE-2021-3129, a remote code execution vulnerability in Laravel's Ignition package (version 2.5.1). The exploit leverages a gadget chain (Laravel/RCE5) generated by the phpggc tool to craft a malicious serialized PHP payload. The script interacts with the vulnerable Laravel application's _ignition/execute-solution HTTP endpoint, sending specially crafted JSON data to trigger the vulnerability. The exploit workflow involves clearing and manipulating the Laravel log file, injecting the payload, and then triggering deserialization to achieve RCE. The README provides usage notes, version requirements, and references. The repository is structured with a single Python exploit script and a README file, and requires the phpggc tool to be present for payload generation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific Laravel vulnerability that was used as the initial access vector to obtain cloud credentials, enabling the subsequent LLMjacking attack.
A vulnerability additionally targeted by the botnet (no further details provided in the content).
A remote code execution vulnerability in Laravel that is being exploited by botnets targeting PHP servers.
Critical RCE vulnerability in Laravel applications when the Ignition debugging component is exposed in production.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.