Skip to content

Mass-Assignment Vulnerability in createProject — User Field Overwrite #3876

New issue
New issue
Open
#3889
Open
Mass-Assignment Vulnerability in createProject — User Field Overwrite#3876
#3889
Labels
Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardBugError or unexpected behaviors
@Nixxx19

Description

@Nixxx19
Nixxx19
opened on Feb 13, 2026

p5.js version

Latest

What is your operating system?

None

Web browser and version

all

Actual Behavior

The createProject function in server/controllers/project.controller/createProject.js uses Object.assign() to merge req.body directly into projectValues. Because Object.assign overwrites existing keys, a user field in req.body replaces the req.user._id value that was set one line earlier. This allows an authenticated user to create a project attributed to any other user.

Location:

  • File: server/controllers/project.controller/createProject.js
  • Lines 9–13 (createProject) and Line 36 (apiCreateProject)

Vulnerable code in createProject:

let projectValues = {
  user: req.user._id          // set correctly…
};
projectValues = Object.assign(projectValues, req.body);  // …then overwritten by req.body.user

Vulnerable code in apiCreateProject:

const params = Object.assign({ user: req.user._id }, req.body);  // same issue

Note: apiCreateProject has a partial mitigation — it checks req.user.username !== req.params.username at line 63 — but createProject has no such check.

Expected Behavior

The user field should always be set to the authenticated user's ID (req.user._id) and must never be overwritable via the request body.

Steps to reproduce

  1. Authenticate as any user
  2. Send a POST to /editor/projects with a session cookie and: 
    {
  "name": "Test",
  "user": "<victim_user_id>"
}
  3. Observe the response — the created project's user field (or user.username) is <victim_user_id> (or victim's username), not the authenticated user's ID/username

Metadata

Metadata

Assignees

No one assigned

    Labels

    Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardBugError or unexpected behaviors

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions