Miggo Logo
Miggo Vulnerability Database
CVE-2021-43503

CVE-2021-43503:
Remote Code Execution in Laravel

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43503
GHSA ID
GHSA-86r3-4gq8-xw8q
EPSS Score
-
CWE
CWE-502
Published
4/9/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
laravel/laravelcomposer<= 5.8.38

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The original advisory describes a POP chain involving three magic methods: __destruct (to initiate the chain), __call (to proxy malicious method calls), and __invoke (to execute arbitrary code). The provided PoC demonstrates serialized objects leveraging these methods sequentially. While the advisory was later withdrawn due to being a false positive, the technical analysis of the reported chain explicitly identifies these functions as the exploitation pathway. The high confidence stems from the reproducible exploit code and explicit documentation in the original vulnerability report.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn T*is **visory **s ***n wit**r*wn ****us* it is not * s**urity issu* *n* t** *V* **s ***n r*vok**. ## Ori*in*l **s*ription * R*mot* *o** *x**ution (R**) vuln*r**ility *xists in * l*r*v*l *.*.** vi* *n uns*ri*liz* pop ***in in (*) __**str

Reasoning

T** ori*in*l **visory **s*ri**s * POP ***in involvin* t*r** m**i* m*t*o*s: __**stru*t (to initi*t* t** ***in), __**ll (to proxy m*li*ious m*t*o* **lls), *n* __invok* (to *x**ut* *r*itr*ry *o**). T** provi*** Po* **monstr*t*s s*ri*liz** o*j**ts l*v*r*