N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-44pg-c29v-hp6r

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-44pg-c29v-hp6r

GHSA-44pg-c29v-hp6r: Laravel Guard bypass in Eloquent models

In laravel releases before 6.18.34 and 7.23.2. It was possible to mass assign Eloquent attributes that included the model's table name:

$model->fill(['users.name' => 'Taylor']);

When doing so, Eloquent would remove the table name from the attribute for you. This was a "convenience" feature of Eloquent and was not documented.

However, when paired with validation, this can lead to unexpected and unvalidated values being saved to the database. For this reason, we have removed the automatic stripping of table names from mass-asignment operations so that the attributes go through the typical "fillable" / "guarded" logic. Any attributes containing table names that are not explicitly declared as fillable will be discarded.

This security release will be a breaking change for applications that were relying on the undocumented table name stripping during mass assignment. Since this feature was relatively unknown and undocumented, we expect the vast majority of Laravel applications to be able to upgrade without issues.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-44pg-c29v-hp6r

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
laravel/framework	composer	>= 5.5.0, <= 5.5.49
laravel/framework	composer	>= 6.0.0, < 6.18.34	6.18.34
laravel/framework	composer	>= 7.0.0, < 7.23.2	7.23.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Laravel's Eloquent Model processed mass assignment attributes. The fill() method (or its internal helpers) automatically removed table prefixes from attribute keys (e.g., 'users.name' → 'name') before checking against $fillable/$guarded. This preprocessing occurred before validation, allowing attackers to submit attributes with table prefixes that would be transformed into valid fillable fields after stripping. The security fix removed this automatic stripping, meaning the full attribute name (including table prefix) must now be explicitly declared as fillable. The fill() method is explicitly mentioned in the vulnerability example and is the primary entry point for mass assignment operations, making it the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In l*r*v*l r*l**s*s ***or* *.**.** *n* *.**.*. It w*s possi*l* to m*ss *ssi*n *loqu*nt *ttri*ut*s t**t in*lu*** t** mo**l's t**l* n*m*: ``` $mo**l->*ill(['us*rs.n*m*' => 'T*ylor']); ``` W**n *oin* so, *loqu*nt woul* r*mov* t** t**l* n*m* *rom t** *tt

Reasoning

T** vuln*r**ility st*ms *rom *ow L*r*v*l's *loqu*nt Mo**l pro**ss** m*ss *ssi*nm*nt *ttri*ut*s. T** `*ill()` m*t*o* (or its int*rn*l **lp*rs) *utom*ti**lly r*mov** t**l* pr**ix*s *rom *ttri*ut* k*ys (*.*., 'us*rs.n*m*' → 'n*m*') ***or* ****kin* ***in

N/A

Basic Information

Concerned about an active attack path?

GHSA-44pg-c29v-hp6r: Laravel Guard bypass in Eloquent models

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI