URL Redirection to Untrusted Site (‘Open Redirect’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Object.assign() to merge user-controlled data into objects can let attackers overwrite sensitive fields or introduce unexpected data, especially if the input comes directly from sources like JSON.parse(). This can expose or modify data in ways you did not intend.
Impact#
If exploited, an attacker could manipulate object properties such as user roles, permissions, or internal flags, leading to unauthorized access, privilege escalation, or data leakage. This can break access controls and compromise sensitive information across your application.