GuardAPI Logo
GuardAPI

Fix Mass Assignment in Nuxt

Mass Assignment in Nuxt/Nitro occurs when untrusted user input is directly mapped to internal data structures or database models. Attackers can inject unauthorized fields—like 'role: admin' or 'balance: 9999'—to escalate privileges or bypass business logic. If you're spreading a request body directly into an ORM call, you're pwned.

The Vulnerable Pattern

// server/api/profile.put.ts
export default defineEventHandler(async (event) => {
  const body = await readBody(event)

// VULNERABLE: Blindly spreading untrusted body into the database
// An attacker can send { “isAdmin”: true } to escalate privileges
return await prisma.user.update({
where: { id: event.context.user.id },
data: { …body }
})
})

The Secure Implementation

The vulnerability lies in the blind trust of the input object's keys. By using the spread operator (...body), you allow the client to define which database columns are updated. The fix involves implementing a strict allow-list. Using a library like Zod ensures that only defined properties reach your persistence layer, effectively stripping out any malicious payload injected into the JSON body.

// server/api/profile.put.ts
import { z } from 'zod'

const UpdateSchema = z.object({
bio: z.string().max(160).optional(),
location: z.string().max(30).optional()
})


export default defineEventHandler(async (event) => {
const body = await readBody(event)


// SECURE: Only allow-listed fields are parsed and passed to the ORM
const validatedData = UpdateSchema.parse(body)


return await prisma.user.update({
where: { id: event.context.user.id },
data: validatedData
})
})

System Alert • ID: 9111
Target: Nuxt API
Potential Vulnerability

Your Nuxt API might be exposed to Mass Assignment

74% of Nuxt apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X