保護DataHogo
Security Encyclopedia/Race Conditions & Logic
highCWE-915API3:2023

Mass Assignment Detailed

Passing the entire request body directly to database create or update operations allows attackers to set any field, including internal ones like verified, credits, or billing status.

How It Works

Mass assignment happens when an application takes the entire request body and passes it directly to an ORM's create or update method. The developer intends for the endpoint to update name and email, but an attacker adds extra fields to the request body. Since the ORM accepts any valid column name, fields like emailVerified: true, credits: 999999, billingPlan: 'enterprise', or deletedAt: null get written to the database. Unlike privilege escalation which specifically targets role fields, mass assignment can affect any column — financial balances, verification status, subscription tiers, soft-delete flags, or internal tracking fields. Any field in the database model becomes attackable.

Vulnerable Code
app.post('/api/users', async (req, res) => {
  const user = await db.user.create({ data: req.body });
  // Attacker sends: { name: 'Hacker', email: 'h@ck.er',
  //   emailVerified: true, credits: 999999,
  //   billingPlan: 'enterprise' }
  res.json(user);
});
Secure Code
const createUserSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email()
});
app.post('/api/users', async (req, res) => {
  const data = createUserSchema.parse(req.body);
  const user = await db.user.create({ data });
  res.json(user);
});

Real-World Example

In 2012, a mass assignment vulnerability in GitHub allowed a user named Egor Homakov to add his SSH key to the Rails organization by exploiting the public key update endpoint. He modified the user_id parameter in the request to associate his key with the Rails core team, gaining commit access to the Ruby on Rails repository.

How to Prevent It

  • Always validate request bodies with Zod schemas that define exactly which fields are accepted
  • Never pass req.body directly to ORM create or update methods
  • Use allowlist patterns — explicitly pick only the fields you expect
  • Separate DTOs for create vs update operations to limit writable fields per action

Affected Technologies

Node.jsPythonGoJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Price Manipulation

critical

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

CWE-472A04:2021

Feature Flags Exposed

low

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

CWE-200A05:2021

Debug Routes in Production

medium

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

CWE-489A05:2021