Intel

AIKIDO-2026-897214

spatie/laravel-honeypot is vulnerable to Protection Mechanism Bypass

Protection Mechanism Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

53

Medium Risk

This Affects:

PHPspatie/laravel-honeypot
0.0.1 - 4.7.1
Fixed in 4.7.2
Are you affected? Scan for Free

TL;DR

The honeypot spam check in SpamProtection (previously the ProtectAgainstSpam middleware) decides whether the hidden honeypot field is blank using PHP's empty() function. Because empty("0") evaluates to true in PHP, a request that submits the string "0" in the honeypot field is treated as a genuinely empty (human) submission and passes spam protection instead of being rejected. This lets automated bots reliably bypass the honeypot spam filter by posting "0" (and other falsy values) in the trap field. The fix replaces the empty() check with a strict comparison that only treats null or an empty string as blank, so "0" is now flagged as spam.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spatie/laravel-honeypot is vulnerable to Protection Mechanism Bypass in versions 0.0.1 - 4.7.1.

How to fix this

Upgrade the spatie/laravel-honeypot library to the patch version.