The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
View on MITREIf the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.
An attacker could modify sensitive data or program variables.
If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No detection method information available for this CWE.
This function sets object attributes based on a dot-separated path.
This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.
This function sets object attributes based on a dot-separated path.
This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.
This function sets object attributes based on a dot-separated path.
This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.
Application for using LLMs allows modification of a sensitive variable using mass assignment.
View DetailsMass assignment allows modification of arbitrary attributes using modified URL.
View DetailsSource version control product allows modification of trusted key using mass assignment.
View DetailsUse of PHP unserialize function on untrusted input allows attacker to modify application configuration.
View DetailsUse of PHP unserialize function on untrusted input in content management system might allow code execution.
View DetailsUse of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
View DetailsContent management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
View DetailsContent management system written in PHP allows code execution through page comments.
View DetailsUse of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
View DetailsContent management system written in Python interprets untrusted data as pickles, allowing code execution.
View DetailsPython script allows remote attackers to execute arbitrary code using pickled objects.
View DetailsRuby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
View DetailsSpring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
View DetailsGrails allows binding of arbitrary parameters to modify arbitrary object properties.
View DetailsMedia library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
View DetailsCWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.
If exploited, CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) it can compromise Integrity and Other, leading to outcomes such as Modify Application Data, Execute Unauthorized Code or Commands, Varies by Context and Alter Execution Logic.
Recommended mitigations for CWE-915 include: If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified. For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
CWE-915 commonly affects Ruby, ASP.NET, PHP, Python and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-915, including CVE-2024-3283, CVE-2012-2054, CVE-2012-2055, CVE-2008-7310 and CVE-2013-1465. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-915 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.