Will It Vibe logoWill It Vibe?
LARAVEL-003High severity-15 points

Eloquent model $fillable includes a wildcard

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A $fillable array containing '*' opts every attribute into mass assignment, including ones like is_admin or role that were never meant to be set from a request. Combined with Model::create($request->all()) or ->fill($request->all()), this lets a request set any column on the model.

Why it matters

A $fillable array containing '*' mass-assigns every column on the model, including ones never meant to be set from a request, like is_admin, role, or a foreign key the application assigns itself. Combined with a controller that does Model::create($request->all()), this lets a request set fields it should never be able to touch, a well-documented and frequently exploited Laravel mistake.

How to fix it

Replace the wildcard with an explicit list of the specific columns that are genuinely safe to mass-assign, for example protected $fillable = ['name', 'email'];. Anything sensitive (roles, permissions, foreign keys, verified or paid flags) should be set explicitly in application code, never through mass assignment.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks