spatie/laravel-honeypot is vulnerable to Protection Mechanism Bypass
53
Medium Risk
The honeypot spam check in SpamProtection (previously the ProtectAgainstSpam middleware) decides whether the hidden honeypot field is blank using PHP's empty() function. Because empty("0") evaluates to true in PHP, a request that submits the string "0" in the honeypot field is treated as a genuinely empty (human) submission and passes spam protection instead of being rejected. This lets automated bots reliably bypass the honeypot spam filter by posting "0" (and other falsy values) in the trap field. The fix replaces the empty() check with a strict comparison that only treats null or an empty string as blank, so "0" is now flagged as spam.
You are affected if you are using a version that falls within the vulnerable range.
spatie/laravel-honeypot is vulnerable to Protection Mechanism Bypass in versions 0.0.1 - 4.7.1.
Upgrade the spatie/laravel-honeypot library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant