CVE-2021-43617

CRITICAL

Laravel Framework <8.70.2 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-43617. PoCs published by Hosein Vita, Sybelle03, aweiiy.

AI-analyzed exploit summary This exploit demonstrates a bypass of Laravel's image upload functionality to upload arbitrary files, enabling XSS and CSRF token bypass. It uses a crafted HTML file with embedded JavaScript to extract and submit a CSRF token.

Description

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

Exploits (4)

exploitdb WORKING POC
by Hosein Vita · textwebappsphp
https://www.exploit-db.com/exploits/50525

This exploit demonstrates a bypass of Laravel's image upload functionality to upload arbitrary files, enabling XSS and CSRF token bypass. It uses a crafted HTML file with embedded JavaScript to extract and submit a CSRF token.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Laravel Framework 8.70.1
No auth needed
Prerequisites: Access to upload functionality · Ability to craft and upload a malicious file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Sybelle03 · poc
https://github.com/Sybelle03/CVE-2021-43617

This repository demonstrates a proof-of-concept for CVE-2021-43617, which exploits a vulnerability in Laravel 8.70.1 where image file upload validation can be bypassed to upload arbitrary files, leading to XSS and CSRF token bypass.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Laravel 8.70.1
No auth needed
Prerequisites: A Laravel application with an image upload form · Ability to modify file headers to bypass validation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by aweiiy · poc
https://github.com/aweiiy/CVE-2021-43617

This PoC generates a malicious PHAR file with a JPG header to exploit CVE-2021-43617, a deserialization vulnerability in Laravel. The script prepends a JPG magic header to a shell payload (e.g., Weevely) to bypass file upload restrictions.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: Laravel (specific version not specified)
No auth needed
Prerequisites: File upload functionality in Laravel · Ability to upload a malicious PHAR file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by kombat1 · poc
https://github.com/kombat1/CVE-2021-43617

This PoC demonstrates a basic file-based exploit by embedding an HTML payload into a JPEG file, but it lacks functional exploit code for CVE-2021-43617. The payload is a simple XSS alert, and the method does not align with the vulnerability's actual exploitation mechanism.

Classification
Stub 80%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (CVE-2021-43617 is related to a specific software, but not exploited here)
No auth needed
Prerequisites: Ability to write a file to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.5013
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (2)
laravel/framework < 8.70.2
laravel/framework 0Packagist
Published Nov 14, 2021
Tracked Since Feb 18, 2026