Findings
Unconstrained additional properties
Updated: June 19, 2025
Description
An endpoint allows unconstrained additional properties in the request body.
This means that the JSON Schema does not limit the properties that can be passed to the API. By default, the JSON Schema specification allows additional properties, which can lead to security vulnerabilities like mass assignment issues, where unspecified or unauthorized fields are passed to the API. This situation can allow attackers to send unexpected data, potentially altering application behavior or providing access to unauthorized operations, as these additional properties may be processed without validation.
Example Attack
An API endpoint for updating user profiles allows additional properties due to the lack of constraints. An attacker sends a request body with unauthorized fields, such as an isAdmin flag or another user's userId, exploiting the API's mass assignment vulnerability. If these additional properties are processed and written to the database, the attacker could escalate privileges or manipulate other user data.
Remediation
Set additionalProperties to false in the definition of the endpoint or add maxProperties.
Security Frameworks
APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs.
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.