If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

This vulnerability was discovered by Tim Groenevelt ([email protected]).

### References

- https://github.com/laravel/framework/pull/35865

Affected Packages

Packagist laravel/framework

Affected versions: 8.0.0 (fixed in 8.22.1)

Packagist illuminate/database

Affected versions: 7.0.0 (fixed in 7.30.3)

Packagist illuminate/database

Affected versions: 8.0.0 (fixed in 8.22.1)

Packagist illuminate/database

Affected versions: 6.0.0 (fixed in 6.20.12)

Packagist laravel/framework

Affected versions: 6.0.0 (fixed in 6.20.11)

Packagist laravel/framework

Affected versions: 7.0.0 (fixed in 7.30.2)

Related CVEs

CVE-2021-21263

Key Information

GHSA ID

GHSA-3p32-j457-pg5x

Published

January 19, 2021 7:36 PM

Last Modified

March 29, 2021 5:41 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

laravel/framework

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.