Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Assigning user-controlled data (like req.body, req.query, etc.) directly to application objects using Object.assign can unintentionally include sensitive or unauthorized fields. This may expose or overwrite data that should not be modifiable by users.
Impact#
If exploited, attackers can read, modify, or inject properties in server-side objects, potentially gaining unauthorized access, escalating privileges, or leaking sensitive data. This could lead to data breaches, privilege escalation, or unintended application behavior.