What it is
An API Mass Assignment Vulnerability occurs when an API automatically binds client-supplied input to internal object properties without proper allow-listing. This allows attackers to modify sensitive fields (such as roles, permissions, or pricing) that were never intended to be user-controlled.
Why it matters
Mass assignment flaws can lead to:
- Privilege escalation (e.g. user to admin)
- Business logic abuse
- Data integrity compromise
These issues are especially common in modern REST and GraphQL APIs using frameworks with automatic object binding.
How to reduce risk
- Explicitly allow-list API parameters
- Separate public DTOs from internal models
- Validate and enforce server-side authorization on every field
- Perform API security testing and schema validation