保護DataHogo
Security Encyclopedia/Race Conditions & Logic
highCWE-269A01:2021

Privilege Escalation

Profile update endpoints that accept role or permission fields from the request body allow users to promote themselves to admin by adding role: 'admin' to their update request.

How It Works

Privilege escalation occurs when an application allows users to modify their own role or permissions through profile update endpoints. If the server blindly spreads the request body into a database update, an attacker can add extra fields like role: 'admin' or isAdmin: true to their profile update request. The server updates all provided fields, including the role, effectively promoting the attacker to administrator. This is a form of mass assignment specifically targeting authorization fields. Even if the frontend form does not include a role field, the attacker can add it directly to the API request using curl or browser dev tools.

Vulnerable Code
app.patch('/api/profile', auth, async (req, res) => {
  const updated = await db.user.update({
    where: { id: req.userId },
    data: req.body  // Attacker sends { name: 'Hacker', role: 'admin' }
  });
  res.json(updated);
});
Secure Code
app.patch('/api/profile', auth, async (req, res) => {
  const { name, email, avatar } = req.body;
  const updated = await db.user.update({
    where: { id: req.userId },
    data: { name, email, avatar }  // Only allowed fields
  });
  res.json(updated);
});

Real-World Example

In 2022, a privilege escalation vulnerability in GitLab (CVE-2022-1162) allowed any authenticated user to set a hardcoded password on accounts provisioned through an OmniAuth provider. This effectively gave attackers access to any account created through SSO, including admin accounts.

How to Prevent It

  • Explicitly destructure and whitelist only allowed fields from the request body
  • Never pass req.body directly to database update operations
  • Use Zod schemas that only include user-editable fields for profile updates
  • Implement separate admin-only endpoints for role changes with additional authorization checks

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Race Condition in Payments

high

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

CWE-362A04:2021

Price Manipulation

critical

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

CWE-472A04:2021

Feature Flags Exposed

low

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

CWE-200A05:2021

Debug Routes in Production

medium

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

CWE-489A05:2021