CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Mass Assignment

security CWE-915 OWASP A1:2021 CVSS 8.1 PHP 5.0+ Intermediate
debt(d5/e3/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep as the tool, with automated detection possible for the specific pattern `->fill($request->all())` or `->create($request->all())`. Standard linters won't catch this by default — it requires a configured SAST rule — but it won't silently survive production undetected either, since semgrep can flag it in CI.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is a targeted swap: replace `->fill($request->all())` with `->fill($request->only(['field1','field2']))`. This is a small, repeatable pattern fix rather than a single one-liner, because every affected model call site needs auditing and an explicit allowlist defined, but it remains within a single component or model layer rather than a cross-cutting architectural refactor.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). The vulnerability applies to all web and API contexts in PHP. Every time a new model attribute or database column is added, developers must revisit the fill policy — as called out explicitly in common_mistakes. This creates an ongoing tax on feature development across multiple work streams, but it doesn't reshape the entire system's architecture.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field reveals the core trap: developers believe mass assignment only matters in frameworks that auto-bind, so they think hand-rolled code passing `$_POST` to a model update is safe. This contradicts how similar concepts (e.g., form binding in other frameworks) are assumed to work, leading competent developers to miss the vulnerability in non-obvious code paths, particularly in APIs handling JSON bodies.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

Also Known As

over-posting auto-binding vulnerability mass binding

TL;DR

Blindly binding all user-submitted fields to a model allows attackers to set fields they should not control.

Explanation

Mass assignment occurs when an application automatically maps all HTTP request parameters to object or database fields without an explicit allowlist. An attacker can add extra fields to a form submission — setting is_admin=1, role=admin, or price=0 — and have them silently accepted. Prevention requires an explicit allowlist of permitted fields for each operation. Never pass $_POST or $_REQUEST directly to a constructor or update query.

Common Misconception

Mass assignment only matters in frameworks that do it automatically. Any code that passes $_POST or request data directly to a model update function — even hand-written — is vulnerable if it does not explicitly allowlist accepted fields.

Why It Matters

Passing $_REQUEST or $request->all() directly to a model allows attackers to set any column, including is_admin, role, or account_balance.

Common Mistakes

  • Not defining a $fillable whitelist on Eloquent models — leaving all columns assignable.
  • Updating models with array_merge($model->toArray(), $request->all()) instead of validated/filtered input.
  • Forgetting that JSON request bodies in APIs are just as exploitable as HTML form submissions.
  • Not auditing model attributes when new columns are added — new sensitive fields inherit the existing fill policy.

Code Examples

✗ Vulnerable 
// Laravel — no $fillable guard
User::create($request->all());
// Attacker sends: POST {"email":"x","role":"admin"}
✓ Fixed 
// Explicitly allow only safe fields
User::create($request->only(['name', 'email', 'password']));

// Or define $fillable on the model
class User extends Model {
    protected $fillable = ['name', 'email', 'password'];
    // $guarded = ['role', 'is_admin']; // alternative
}
Added 15 Mar 2026
Edited 22 Mar 2026
Views 32

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 2 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Perplexity 8 Ahrefs 2 Unknown AI 2 Google 2 ChatGPT 2 Majestic 1
Also referenced
Privilege Escalation 41 Insecure Direct Object Reference (IDOR) 34
How they use it
crawler 25 crawler_json 2
Related categories
security 4.5k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Always use $model->fill($request->only(['field1','field2'])) with an explicit allowlist — never fill() with all request data
📦 Applies To
PHP 5.0+ web api laravel symfony
🔗 Prerequisites
🔍 Detection Hints
->fill($request->all()) or ->create($request->all()) without ->only() allowlist
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Class Tests: Update
CWE-915
✓ schema.org compliant