# Unvalidated Business-Critical Values

- ID: javascript-unvalidated-business-values
- Severity: HIGH
- CWE: Improper Input Validation (CWE-20)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, koa

## Description

Detects business-critical values from user input used without validation.

## Detection Message

Business-critical value extracted from user input without validation.
This could allow attackers to manipulate prices, discounts, or refunds.


## Remediation

Use server-side prices and validate ranges before use.

```javascript
const product = products.get(productId);
const total = product.price * quantity;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-20/unvalidated-business-values

## Related Rules

- **FastAPI Missing Request Validation** [MEDIUM]: 
- **Business Logic Input Validation** [MEDIUM]: 
- **Echo Missing Input Validation** [MEDIUM]: 
- **Fiber Missing Input Validation** [MEDIUM]: 
- **Gin Missing Input Validation** [MEDIUM]: