A few days ago, you might have received a Dependabot security warning on Ignition. This warning concerns CVE-2021-3129, which warns that Ignition, Laravel's default error page, allows unauthenticated, remote attackers to execute arbitrary code.
In this blog post, we'd like to explain why that security warning isn't an issue for most and how we further improved Ignition's security.
This exploit only works when debug mode is turned on
When looking at the description of CVE-2021-3129, you might think that Ignition has a severe security problem. What is not mentioned in the description is that this exploit only worked when debug mode was turned on. The underlying RCE in Ignition has since been fixed (PR #334 and version 2.5.2) and additional security measures were taken to protect people from unknowingly exposing their Laravel apps due to misconfiguration.
Ignition has the ability to run executable solutions. These solutions can make your life better by running migrations when you forgot to run them, generating an APP_KEY if you set none, fixing variable names in your code, ... These runnable solutions are only available when Laravel is in debug mode.
We highly recommend never to turn on debug mode in a non-local environment. If you do so, then you risk exposing sensitive information and potentially allow outsiders to execute solutions.
To know how Ignition could be exploited when debug mode is on, take a look at this research report by Ambionics security.
We want to stress that you should never turn on debug mode in a non-local environment.
How we have improved Ignition in response to this warning
We think the vast majority of Laravel developers are aware that they should never enable debug mode on a non-local site.
To warn those who don't, Ignition will now display a warning when an error is rendered with debug mode in a non-local environment.
We think that most people do not ever want to run solutions in a production environment. To protect Ignition users even further, we've downright removed the ability to run solutions in non-local environments and from non-local IP addresses. You can see the changes in this PR, which is included in v2.6.1.
Finally, we've added a page on security to the Ignition docs that mention our recommendations.
Continue reading
Lessons from the deep end
20 months ago, we started building Performance Monitoring as Flare’s next big feature, never expecting Laravel’s rapid commercial growth to put us in direct competition with their own tools. This is our honest take on those 20 months went, how we’re adapting to this new reality, and where we’re heading next while staying true to who we are. A dive into the deep end, without knowing how far down it goes.
Alex
Connect your AI agent to Flare to automatically fix production and performance problems in PHP and Laravel projects
You can now use our MCP server to connect your AI agent to Flare. This way your AI has all context it needs to diagnose and fix production and performance problems.
Freek
Subscribe to Backtrace, our quarterly Flare newsletter
No spam, just news & product updates
