CVE-2021-47756 Overview
CVE-2021-47756 is a local privilege escalation vulnerability affecting Laravel Valet versions 1.1.4 to 2.0.3. This vulnerability allows local users to modify the symlinked valet command to execute arbitrary code with root privileges without additional authentication. The flaw stems from improper permission handling (CWE-732) in how the Valet command is managed on macOS systems.
Critical Impact
Attackers with local access can escalate privileges to root by editing the symlinked valet command, enabling full system compromise without authentication.
Affected Products
- Laravel Valet versions 1.1.4 through 2.0.3
- macOS systems running vulnerable Valet installations
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47756 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47756
Vulnerability Analysis
This vulnerability exists due to incorrect permission assignments for critical resources in Laravel Valet's architecture. Laravel Valet creates a symlink to the valet command that runs with elevated privileges. The fundamental issue is that the symlink target can be modified by users who should not have the ability to influence privileged execution paths.
When Valet is installed, it establishes sudo privileges for certain operations to manage nginx, dnsmasq, and PHP-FPM services. However, the mechanism by which these privileges are granted fails to properly protect the command execution path. A local attacker can exploit this by editing the symlinked valet command to inject malicious code that will subsequently execute with root permissions.
The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), which describes scenarios where software does not assign or incorrectly assigns permissions to critical resources, leaving them accessible to unintended actors.
Root Cause
The root cause of this vulnerability lies in Laravel Valet's improper handling of file permissions for the symlinked valet executable. The symlink pointing to the valet binary is writable by users who can then replace or modify the target with malicious code. When sudo operations are performed through Valet, the modified code executes with root privileges, bypassing normal privilege boundaries.
Attack Vector
This is a local attack vector requiring the attacker to have user-level access to a macOS system with a vulnerable Laravel Valet installation. The attack does not require user interaction and can be executed with high privileges if the attacker can write to the symlink target location.
The exploitation process involves:
- Identifying a system running Laravel Valet versions 1.1.4 to 2.0.3
- Locating the symlinked valet command (typically in /usr/local/bin/valet)
- Modifying the symlink target or the underlying script to include malicious payload
- Triggering a Valet operation that invokes sudo, causing the malicious code to execute as root
For technical exploitation details and proof-of-concept code, see the Exploit-DB #50591 advisory.
Detection Methods for CVE-2021-47756
Indicators of Compromise
- Unexpected modifications to the valet symlink or its target script
- Unusual sudo operations originating from the valet command
- Changes to file permissions on /usr/local/bin/valet or related Valet configuration directories
- New or modified files in Valet's installation directory with unexpected ownership or permissions
Detection Strategies
- Monitor file integrity of the valet binary and symlinks using host-based file integrity monitoring tools
- Implement audit logging for sudo command executions, filtering for valet-related operations
- Review system logs for privilege escalation attempts or unexpected root-level process spawning from PHP or composer contexts
- Use endpoint detection tools to identify anomalous permission changes on developer tools
Monitoring Recommendations
- Enable macOS Unified Logging and monitor for suspicious executil events related to valet
- Configure SentinelOne's Deep Visibility to track symlink modifications in /usr/local/bin/
- Set up alerts for any sudo executions that originate from modified valet scripts
- Periodically audit Laravel Valet installations across development machines for version compliance
How to Mitigate CVE-2021-47756
Immediate Actions Required
- Upgrade Laravel Valet to version 2.0.4 or later immediately
- Audit all macOS development systems for vulnerable Laravel Valet installations
- Review recent sudo logs for any suspicious activity related to the valet command
- Restrict write access to the /usr/local/bin/ directory and Valet installation paths
Patch Information
The vulnerability is addressed in Laravel Valet version 2.0.4 and later releases. Organizations should upgrade all installations to the latest stable version available. For detailed upgrade instructions, consult the Laravel Valet Documentation.
Additional information about this vulnerability is available through the VulnCheck Advisory for Laravel Valet.
Workarounds
- If immediate patching is not possible, remove sudo privileges from the valet command until upgrade can be performed
- Change ownership of the valet symlink and target to root with restricted write permissions
- Implement filesystem access controls to prevent modification of the valet executable path
- Consider uninstalling Laravel Valet on production-adjacent systems where it is not strictly necessary
# Verify Laravel Valet version
valet --version
# Upgrade Laravel Valet via Composer
composer global update laravel/valet
# Verify symlink permissions (should be root-owned)
ls -la /usr/local/bin/valet
# If needed, fix permissions manually
sudo chown root:wheel /usr/local/bin/valet
sudo chmod 755 /usr/local/bin/valet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
