# TypeORM Mass Assignment Vulnerability

- ID: typeorm-mass-assignment
- Severity: CRITICAL
- CWE: Mass Assignment (CWE-915)
- Languages: JavaScript, TypeScript
- Frameworks: typeorm

## Description

Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.

## Detection Message

Entity properties assigned directly from user input without whitelisting. This allows unauthorized field modification.

## Remediation

Use explicit field assignment instead of spreading request data.

```typescript
const user = repository.create({
  username: req.body.username,
  email: req.body.email
  // role and isAdmin not assigned from user input
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/mass-assignment

## Documentation

[object Object]

## Related Rules

- **Django Mass Assignment Vulnerability** [HIGH]: 
- **Prisma Mass Assignment Vulnerability** [CRITICAL]: 
- **Class/Attribute Pollution** [HIGH]: 
- **Serializer/Form Exposes Privilege Fields** [HIGH]: