CVE-2021-28254

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-28254
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28254.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-28254
Aliases
Published
2023-04-19T00:15:07Z
Modified
2025-03-05T20:46:04.934958Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.

References

Affected packages

Git / github.com/laravel/laravel

Affected ranges

Type
GIT
Repo
https://github.com/laravel/laravel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a96fe9320704cbf18856d1009b8cdeffca8a636d

Affected versions

v3.*

v3.0.0
v3.0.0-beta-2
v3.0.0-rc-2
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-beta-1
v3.2.0-beta-2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9

v4.*

v4.0.0
v4.0.0-BETA3
v4.0.0-BETA4
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.18
v4.1.27
v4.2.0
v4.2.11

v5.*

v5.0.0
v5.0.1
v5.0.16
v5.0.22
v5.1.0
v5.1.1
v5.1.11
v5.1.3
v5.1.33
v5.1.4
v5.2.0
v5.2.15
v5.2.23
v5.2.24
v5.2.27
v5.2.29
v5.2.31
v5.3.0
v5.3.10
v5.3.16
v5.3.30
v5.4.0
v5.4.15
v5.4.16
v5.4.19
v5.4.21
v5.4.23
v5.4.3
v5.4.30
v5.4.9
v5.5.0
v5.5.22
v5.5.28
v5.6.0
v5.6.12
v5.6.21
v5.6.33
v5.6.7
v5.7.0
v5.7.13
v5.7.15
v5.7.19
v5.7.28
v5.8.0
v5.8.16
v5.8.17
v5.8.3
v5.8.35

v6.*

v6.0.0
v6.0.1
v6.0.2
v6.12.0
v6.18.0
v6.18.3
v6.18.35
v6.18.8
v6.19.0
v6.2.0
v6.20.0
v6.4.0
v6.5.2
v6.8.0

v7.*

v7.0.0
v7.12.0
v7.25.0
v7.28.0
v7.29.0
v7.3.0
v7.30.0
v7.30.1
v7.6.0

v8.*

v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.2.0
v8.3.0
v8.4.0
v8.4.1
v8.4.2
v8.4.3
v8.4.4
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.5.9