# Serializer/Form Exposes Privilege Fields

- ID: python-serializer-privilege-exposure
- Severity: HIGH
- CWE: Mass Assignment (CWE-915)
- Languages: Python
- Frameworks: django

## Description

Detects serializers or forms that expose privilege-related fields without
marking them as read-only.

## Remediation

Use explicit field lists and mark privilege fields as read-only.

```python
class Meta:
    fields = ['username', 'email']
    read_only_fields = ['is_staff', 'is_superuser']
```

Learn more: https://shoulder.dev/learn/python/cwe-915/serializer-privilege-exposure

## Documentation

[object Object]

## Related Rules

- **Django Mass Assignment Vulnerability** [HIGH]: 
- **Prisma Mass Assignment Vulnerability** [CRITICAL]: 
- **Class/Attribute Pollution** [HIGH]: 
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: