Mass Assignment
Mass assignment lets attackers set fields they should not be able to set, by submitting them in a form whose handler accepts the entire model.
Definition
Mass assignment is the vulnerability in which an application accepts an attacker-controlled property bag (form-encoded body, JSON body) and updates a domain model by iterating every property in the bag. If the model has security-relevant fields (`is_admin`, `role`, `tenant_id`) and the iteration does not filter them, the attacker sets them by submitting them with the request.
The pattern is most associated with Rails and the early ActiveRecord-style ORMs, but Java's bean-binding, Spring's data-binder, .NET's model-binding, and Node's "spread the request body" idiom all introduce it. Spring4Shell (CVE-2022-22965) is exactly mass-assignment to a class-property attribute that turned into RCE.
How it works
The handler reads the JSON body and calls `Object.assign(user, body)` (Node) or `user.update_attributes(params[:user])` (Rails) or `@ModelAttribute User user` (Spring). Any field the body contains that the model has — including `is_admin` — is set. The attacker submits the same form as a regular user would but adds an extra field, and the server obligingly grants them administrator.
Impact
Privilege escalation, tenant escape, integrity loss. Spring4Shell escalated this to RCE through the class-loader gadget.
Mitigation
Use explicit allowlists: a "strong parameters" pattern in the controller that names exactly the fields the handler accepts. In Rails, `params.require(:user).permit(:email, :name)`. In Spring, `@InitBinder` with `setDisallowedFields` (or, post-Spring4Shell, the upstream patch). In Node, never spread an untrusted body into a model — pick fields explicitly. OWASP's Mass Assignment Cheat Sheet covers each framework.
Examples
- CVE-2022-22965 — Spring4Shell; mass-assignment into class-loader properties.
- CVE-2012-2054 — GitHub mass-assignment leading to public-key takeover.