GuardAPI Logo
GuardAPI

Fix Mass Assignment in Blitz.js

Mass assignment in Blitz.js is a critical vulnerability where an attacker manipulates the application to update database fields they shouldn't have access to. By sending unexpected keys in a JSON payload, a malicious actor can overwrite fields like 'role', 'isAdmin', or 'balance' if the backend blindly spreads the input object into a Prisma query.

The Vulnerable Pattern

export default resolver.pipe(
  resolver.authorize(),
  async (input, ctx) => {
    // VULNERABLE: The spread operator (...) passes every key in 'input' to the DB.
    // An attacker can send { "role": "ADMIN" } to escalate privileges.
    const user = await db.user.update({
      where: { id: ctx.session.userId },
      data: { ...input },
    })
    return user
  }
)

The Secure Implementation

The fix relies on strict input whitelisting. By using 'resolver.zod(Schema)', you create a validation layer that strips any keys not explicitly defined in the Zod object. This prevents 'over-posting'—even if an attacker sends extra parameters in the HTTP request, they never reach the Prisma 'update' or 'create' calls. Never use the spread operator on raw input; always map to a validated DTO (Data Transfer Object).

import { z } from "zod"

const UpdateProfileScehma = z.object({
name: z.string().min(1),
bio: z.string().max(200).optional(),
})


export default resolver.pipe(
resolver.zod(UpdateProfileScehma),
resolver.authorize(),
async (input, ctx) => {
// SECURE: ‘input’ is now strictly filtered by the Zod schema.
// Only ‘name’ and ‘bio’ are passed to Prisma; extra fields are discarded.
const user = await db.user.update({
where: { id: ctx.session.userId },
data: input,
})
return user
}
)

System Alert • ID: 2138
Target: Blitz.js API
Potential Vulnerability

Your Blitz.js API might be exposed to Mass Assignment

74% of Blitz.js apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X