-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| illuminate/database | composer | >= 5.5.0, <= 5.5.44 | |
| illuminate/database | composer | >= 6.0.0, < 6.18.34 | 6.18.34 |
| illuminate/database | composer | >= 7.0.0, < 7.23.2 | 7.23.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from how mass assignment handled attribute names with table prefixes. The security advisory explicitly mentions that Eloquent automatically stripped table names during mass assignment as an undocumented feature. The fill() method is the primary entry point for mass assignment operations in Eloquent models. Before patching, this method (or its dependencies) would process attributes by removing table prefixes before checking against $fillable/$guarded arrays, creating a mismatch between validated attributes and guard-checked attributes. The patch removed this stripping behavior, forcing attributes to match guard rules exactly. While the exact helper method for stripping isn't named in public sources, the fill() method's role in mass assignment makes it the clear entry point for this vulnerability.
Ongoing coverage of React2Shell