GuardAPI Logo
GuardAPI
GuardAPI Logo GuardAPI
System Status
Operational

Fix Mass Assignment in AdonisJS

Mass Assignment in AdonisJS occurs when an application blindly accepts all input from a request and passes it directly to a Lucid model's create or update methods. This allows attackers to inject unauthorized fields—such as 'is_admin', 'role', or 'balance'—into the database, leading to privilege escalation or data corruption.

The Vulnerable Pattern

async store({ request, response }) {
  // HIGH RISK: request.all() returns every key-value pair in the payload
  // An attacker can send { "username": "hacker", "is_admin": true }
  const userData = request.all()
  const user = await User.create(userData)

return response.created(user)
}

The Secure Implementation

To kill Mass Assignment, never use request.all() or request.post() when persisting data. Use request.only(['field1', 'field2']) to create a strict whitelist. For production-grade security, leverage AdonisJS Validators; they act as a strong schema-based filter that strips any keys not explicitly defined in the validation rules, ensuring that even if an attacker sends extra fields, they never reach the Lucid ORM layer.

import CreateUserValidator from 'App/Validators/CreateUserValidator'

async store({ request, response }) {
// OPTION 1: Use request.only() to whitelist specific fields
const safeData = request.only([‘username’, ‘email’, ‘password’])
const user1 = await User.create(safeData)


// OPTION 2: Use AdonisJS Validators (Recommended for AppSec)
// The validator ensures only defined schema properties are returned
const payload = await request.validate(CreateUserValidator)
const user2 = await User.create(payload)


return response.created(user2)
}

System Alert • ID: 2649
Target: AdonisJS API
Potential Vulnerability

Your AdonisJS API might be exposed to Mass Assignment

74% of AdonisJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X