Overview
CVE-2017-16894 describes a Sensitive Data Exposure vulnerability in Laravel up to version 5.5.21. An attacker could obtain sensitive information, including externally usable passwords, by requesting the /.env URI. The issue is tied to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting permissions, and because the .env filename is not exclusive to Laravel.
In practice, if the web server serves dotfiles or the project root is web-accessible, a remote user could fetch the contents of .env via a direct HTTP request to /.env, exposing credentials such as DB_PASSWORD, APP_KEY, and other secrets. This exposure falls under CWE-200 (Exposure of Sensitive Information).
Affected Versions
5.5.0-5.5.21
Code Fix Example
Laravel API Security Remediation
// Vulnerable pattern (Laravel writes to .env without restricting permissions)
$envPath = base_path('.env');
$contents = 'APP_ENV=production' . PHP_EOL . 'DB_PASSWORD=secret' . PHP_EOL;
file_put_contents($envPath, $contents);
// Fixed pattern (restrict permissions and lock writes)
$envPath = base_path('.env');
$contents = 'APP_ENV=production' . PHP_EOL . 'DB_PASSWORD=secret' . PHP_EOL;
file_put_contents($envPath, $contents, LOCK_EX);
chmod($envPath, 0600);