Name of the Vulnerable Software and Affected Versions Laravel versions prior to 6.18.34 Laravel versions prior to 7.23.2

Description A security issue was found in Laravel where it was possible to mass assign Eloquent attributes that included the model's table name. This could lead to unexpected and unvalidated values being saved to the database when paired with validation. The issue arose from an undocumented "convenience" feature of Eloquent that automatically removed the table name from the attribute during mass assignment operations. This feature has been removed to ensure attributes go through the typical "fillable" / "guarded" logic, and any attributes containing table names that are not explicitly declared as fillable will be discarded.

Recommendations For versions prior to 6.18.34, update to version 6.18.34 or later to resolve the issue. For versions prior to 7.23.2, update to version 7.23.2 or later to resolve the issue. As a temporary workaround, consider explicitly declaring all fillable attributes to prevent unexpected mass assignment.