Miggo Logo

GHSA-44pg-c29v-hp6r: Laravel Guard bypass in Eloquent models

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
Published
5/15/2024
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
laravel/frameworkcomposer>= 5.5.0, <= 5.5.49
laravel/frameworkcomposer>= 6.0.0, < 6.18.346.18.34
laravel/frameworkcomposer>= 7.0.0, < 7.23.27.23.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how Laravel's Eloquent Model processed mass assignment attributes. The fill() method (or its internal helpers) automatically removed table prefixes from attribute keys (e.g., 'users.name' → 'name') before checking against $fillable/$guarded. This preprocessing occurred before validation, allowing attackers to submit attributes with table prefixes that would be transformed into valid fillable fields after stripping. The security fix removed this automatic stripping, meaning the full attribute name (including table prefix) must now be explicitly declared as fillable. The fill() method is explicitly mentioned in the vulnerability example and is the primary entry point for mass assignment operations, making it the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In l*r*v*l r*l**s*s ***or* *.**.** *n* *.**.*. It w*s possi*l* to m*ss *ssi*n *loqu*nt *ttri*ut*s t**t in*lu*** t** mo**l's t**l* n*m*: ``` $mo**l->*ill(['us*rs.n*m*' => 'T*ylor']); ``` W**n *oin* so, *loqu*nt woul* r*mov* t** t**l* n*m* *rom t** *tt

Reasoning

T** vuln*r**ility st*ms *rom *ow L*r*v*l's *loqu*nt Mo**l pro**ss** m*ss *ssi*nm*nt *ttri*ut*s. T** `*ill()` m*t*o* (or its int*rn*l **lp*rs) *utom*ti**lly r*mov** t**l* pr**ix*s *rom *ttri*ut* k*ys (*.*., 'us*rs.n*m*' → 'n*m*') ***or* ****kin* ***in