PackageFix / CISA KEV / CVE-2021-32708

CVE-2021-32708 — Flysystem Path Traversal CRITICAL

🔴 CISA KEV CVSS 9.1

Path traversal in Flysystem allows arbitrary file read via crafted paths containing ../ sequences. Any PHP application using Flysystem to serve files based on user-supplied paths is vulnerable.

🔴 Actively Exploited

CVE-2021-32708 is on the CISA Known Exploited Vulnerabilities catalog. Being used in real attacks right now. Fix immediately.

Affected package

PackageVulnerableSafe versionFix guide
flysystem< 1.1.4^3.28Fix guide →

Timeline

Jun 2021CVE filed — path traversal in Flysystem
Jun 2021Flysystem 1.1.4, 2.1.1, and 3.0.0-beta2 released
CISAAdded to KEV — active exploitation against Laravel apps
OngoingMany legacy Laravel apps still on Flysystem 1.x

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

What files can an attacker read?
Any file readable by the web server process — /etc/passwd, .env files with database credentials, application config files, source code, private keys. This is a critical data exposure vulnerability.
Does this affect Laravel?
Yes — Laravel's Storage facade uses Flysystem. Laravel apps using Storage::get() or Storage::download() with user-controlled paths are vulnerable.

Related

All CISA KEV Packages

Full actively exploited list

Fix flysystem

Full fix guide with CVE history

Supply Chain Attack Guide

5 attacks npm audit misses

What is CISA KEV?

Plain-English explanation