All Flysystem CVEs — Complete Vulnerability History
Flysystem is PHP's filesystem abstraction library used by Laravel for all file storage. CVE-2021-32708 is critical — path traversal allowing arbitrary file read. It's on the CISA KEV list.
PHP
10M+ weekly downloads
1 CVE total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-32708 | 2021 | 🔴CRITICAL | Path traversal allowing arbitrary file read — CISA KEV | Fixed 1.1.4 |
Current safe version: ^3.28
# Before
"league/flysystem": "^1.1"
# After
"league/flysystem": "^3.28"
Then run: composer install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What does CVE-2021-32708 allow an attacker to do?
Read arbitrary files on the server via a crafted path containing ../ sequences. If your application uses Flysystem to serve or process user-specified file paths, an attacker can read /etc/passwd, .env files, or any other readable file.
Does Laravel use Flysystem?
Yes — Laravel's Storage facade is built on Flysystem. All Laravel apps using Storage::get() or similar methods that accept user input are potentially vulnerable if on a pre-1.1.4 version.
Is migrating from Flysystem 1.x to 3.x a big change?
Yes — Flysystem 3.x has significant API changes. Laravel 9+ uses Flysystem 3.x. If you're on Laravel 8 with Flysystem 1.x, plan your upgrade path.