Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-915 — Vulnerability Class 54

54 vulnerabilities classified as CWE-915. AI Chinese analysis included.

CWE-915 represents a critical input validation weakness where software fails to restrict which object attributes can be modified based on external input. Attackers typically exploit this by injecting malicious data that targets internal or privileged properties, such as access control flags or system configuration settings, rather than intended user-facing fields. This unauthorized modification can bypass security mechanisms, escalate privileges, or cause denial of service by corrupting the object’s internal state. To prevent this vulnerability, developers must implement strict allow-lists that explicitly define permissible attributes for modification, ensuring that only expected fields are updated. Additionally, employing robust serialization frameworks with built-in validation and conducting thorough code reviews to identify dynamic attribute assignment patterns are essential strategies for mitigating this risk and maintaining application integrity.

MITRE CWE Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.
Common Consequences (3)
IntegrityModify Application Data
An attacker could modify sensitive data or program variables.
IntegrityExecute Unauthorized Code or Commands
Other, IntegrityVaries by Context, Alter Execution Logic
Mitigations (4)
ImplementationIf available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Architecture and Design, ImplementationIf available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
ImplementationFor any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Implementation, Architecture and DesignRefactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Examples (1)
This function sets object attributes based on a dot-separated path.
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { if (typeof objectToModify[attr] !== 'object') { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }
Bad · JavaScript
setValueByPath({}, "__proto__.isAdmin", true) setValueByPath({}, "constructor.prototype.isAdmin", true)
Bad · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2025-14341 Input Data Manipulation in DivvyDrive Information Technologies' DivvyDrive — DivvyDrive 8.3 High2026-05-07
CVE-2026-41139 Unsafe array index getter in mathjs — mathjs 6.1 -2026-05-07
CVE-2026-33453 Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution — Apache Camel 9.8AICriticalAI2026-04-27
CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` — axios 6.5 Medium2026-04-24
CVE-2026-40897 Math.js: Unsafe object property setter in mathjs — mathjs 8.8 High2026-04-24
CVE-2026-6912 Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel — AWS Ops Wheel 8.8 High2026-04-24
CVE-2026-34427 Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save — Vvveb 8.8 High2026-04-20
CVE-2026-40486 Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate — kimai 4.3 Medium2026-04-17
CVE-2026-34179 Update of type field in restricted TLS certificate allows privilege escalation to cluster admin — lxd 9.1 Critical2026-04-09
CVE-2026-5708 Improper Control of User-Modifiable Attributes in RES CreateSession API — Research and Engineering Studio (RES) 8.8 High2026-04-06
CVE-2026-5251 z-9527 admin User Update Endpoint user.js dynamically-determined object attributes — admin 6.3 Medium2026-04-01
CVE-2026-5248 gougucms User Registration Login.php reg_submit dynamically-determined object attributes — gougucms 6.3 Medium2026-04-01
CVE-2026-34406 APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint — APTRS 8.8 -2026-03-31
CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor — ormar 7.1 High2026-03-19
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields — parse-server 4.3 Medium2026-03-18
CVE-2026-29056 Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin — kanboard 8.8 -2026-03-18
CVE-2026-32640 (SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox. — simpleeval 7.5AIHighAI2026-03-13
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint — Flowise 5.3 -2026-03-07
CVE-2025-15602 Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation — Snipe-IT 8.8 High2026-03-06
CVE-2026-28219 Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners — discourse 4.3AIMediumAI2026-02-26
CVE-2026-27125 Svelte SSR attribute spreading includes inherited properties from prototype chain — svelte 3.7 -2026-02-20
CVE-2026-24140 MyTube has Mass Assignment via Settings Management — MyTube 2.7 Low2026-01-23
CVE-2026-22814 Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State — lucid 7.5AIHighAI2026-01-13
CVE-2026-21695 Titra API Contains Mass Assignment Vulnerability — titra 4.3 Medium2026-01-07
CVE-2025-9315 Unauthenticated Device Registration Vulnerability in MXsecurity Series — MXsecurity Series 9.4AICriticalAI2025-12-10
CVE-2025-13081 Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 — Drupal core 9.8AICriticalAI2025-11-18
CVE-2025-52656 HCL MyXalytics product is affected by Mass Assignment vulnerability — HCL MyXalytics 7.6 High2025-10-03
CVE-2025-7104 Mass Assignment in danny-avila/librechat — danny-avila/librechat 9.1AICriticalAI2025-09-29
CVE-2025-58367 DeepDiff is vulnerable to DoS and Remote Code Execution via Delta class pollution — deepdiff 9.8AICriticalAI2025-09-05
CVE-2025-6107 comfyanonymous comfyui utils.py set_attr dynamically-determined object attributes — comfyui 3.1 Low2025-06-16

Vulnerabilities classified as CWE-915 represent 54 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.