{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "5.5.21"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6321069a75723d88103526903d3192f0b231544a"
            }
          ],
          "repo": "https://github.com/laravel/framework",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.",
  "id": "CVE-2017-16894",
  "modified": "2026-04-01T23:08:20.960081745Z",
  "published": "2017-11-20T01:29:00.227Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/finnwea/status/967709791442341888"
    },
    {
      "type": "ADVISORY",
      "url": "http://whiteboyz.xyz/laravel-env-file-vuln.html"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}