Mass Assignment

Mass assignment lets attackers set fields they should not be able to set, by submitting them in a form whose handler accepts the entire model.

Definition

Mass assignment is the vulnerability in which an application accepts an attacker-controlled property bag (form-encoded body, JSON body) and updates a domain model by iterating every property in the bag. If the model has security-relevant fields (`is_admin`, `role`, `tenant_id`) and the iteration does not filter them, the attacker sets them by submitting them with the request.

The pattern is most associated with Rails and the early ActiveRecord-style ORMs, but Java's bean-binding, Spring's data-binder, .NET's model-binding, and Node's "spread the request body" idiom all introduce it. Spring4Shell (CVE-2022-22965) is exactly mass-assignment to a class-property attribute that turned into RCE.

How it works

The handler reads the JSON body and calls `Object.assign(user, body)` (Node) or `user.update_attributes(params[:user])` (Rails) or `@ModelAttribute User user` (Spring). Any field the body contains that the model has — including `is_admin` — is set. The attacker submits the same form as a regular user would but adds an extra field, and the server obligingly grants them administrator.

Impact

Privilege escalation, tenant escape, integrity loss. Spring4Shell escalated this to RCE through the class-loader gadget.

Mitigation

Use explicit allowlists: a "strong parameters" pattern in the controller that names exactly the fields the handler accepts. In Rails, `params.require(:user).permit(:email, :name)`. In Spring, `@InitBinder` with `setDisallowedFields` (or, post-Spring4Shell, the upstream patch). In Node, never spread an untrusted body into a model — pick fields explicitly. OWASP's Mass Assignment Cheat Sheet covers each framework.

Examples

  • CVE-2022-22965 — Spring4Shell; mass-assignment into class-loader properties.
  • CVE-2012-2054 — GitHub mass-assignment leading to public-key takeover.

See also

References