# Prisma Mass Assignment Vulnerability

- ID: prisma-mass-assignment
- Severity: CRITICAL
- CWE: Mass Assignment (CWE-915)
- Languages: JavaScript, TypeScript
- Frameworks: prisma

## Description

Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.

## Detection Message

{operation} uses unvalidated user input in data parameter. Use explicit field whitelisting with validation.

## Remediation

Use explicit field assignment instead of spreading req.body.

```typescript
const input = createUserSchema.parse(req.body);
const user = await prisma.user.create({
  data: {
    email: input.email,
    name: input.name
    // role not assigned from user input
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/prisma-mass-assignment

## Documentation

[object Object]

## Related Rules

- **Django Mass Assignment Vulnerability** [HIGH]: 
- **Class/Attribute Pollution** [HIGH]: 
- **Serializer/Form Exposes Privilege Fields** [HIGH]: 
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: