Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-915 Base Incomplete
Improperly Controlled Modification of Dynamically-Determined Object Attributes
This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed.…
Definition
What is CWE-915?
This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object.
Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Real-world impact
Real-world CVEs caused by CWE-915
-
Application for using LLMs allows modification of a sensitive variable using mass assignment.
-
Mass assignment allows modification of arbitrary attributes using modified URL.
-
Source version control product allows modification of trusted key using mass assignment.
-
Attackers can bypass payment step in e-commerce product.
-
Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
-
Use of PHP unserialize function on untrusted input in content management system might allow code execution.
-
Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
-
Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
How attackers exploit it
Step-by-step attacker path
- 1
This function sets object attributes based on a dot-separated path.
- 2
This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.
- 3
By using a denylist of dangerous attributes, this weakness can be eliminated.
Vulnerable code example
Vulnerable JavaScript
This function sets object attributes based on a dot-separated path.
function setValueByPath (object, path, value) {
const pathArray = path.split(".");
const attributeToSet = pathArray.pop();
let objectToModify = object;
for (const attr of pathArray) {
if (typeof objectToModify[attr] !== 'object') {
objectToModify[attr] = {};
}
objectToModify = objectToModify[attr];
}
objectToModify[attributeToSet] = value;
return object;
} Secure code example
Secure JavaScript
By using a denylist of dangerous attributes, this weakness can be eliminated.
function setValueByPath (object, path, value) {
const pathArray = path.split(".");
const attributeToSet = pathArray.pop();
let objectToModify = object;
for (const attr of pathArray) {
```
// Ignore attributes which resolve to object prototype*
if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
```
continue;
}
if (typeof objectToModify[attr] !== "object") {
objectToModify[attr] = {};
}
objectToModify = objectToModify[attr];
}
objectToModify[attributeToSet] = value;
return object;
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-915
- Implementation If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
- Architecture and Design / Implementation If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- Implementation For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
- Implementation / Architecture and Design Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Detection signals
How to detect CWE-915
Plexicus auto-detects CWE-915 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-915?
How serious is CWE-915?
What languages or platforms are affected by CWE-915?
How can I prevent CWE-915?
How does Plexicus detect and fix CWE-915?
Where can I learn more about CWE-915?
Frequently asked questions
What is CWE-915?
This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
How serious is CWE-915?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-915?
MITRE lists the following affected platforms: Ruby, ASP.NET, PHP, Python.
How can I prevent CWE-915?
If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted.…
How does Plexicus detect and fix CWE-915?
Plexicus's SAST engine matches the data-flow signature for CWE-915 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-915?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/915.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-915
CWE-913 Parent
Improper Control of Dynamically-Managed Code Resources
This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime,…
CWE-1321 Sibling
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript…
CWE-470 Sibling
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…
CWE-502 Sibling
Deserialization of Untrusted Data
This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation,…
CWE-914 Sibling
Improper Control of Dynamically-Identified Variables
This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…
CWE-94 Sibling
Improper Control of Generation of Code ('Code Injection')
This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the…
Resources
Further reading
- MITRE — official CWE-915 https://cwe.mitre.org/data/definitions/915.html
- Shocking News in PHP Exploitation https://owasp.org/www-pdf-archive/POC2009-ShockingNewsInPHPExploitation.pdf
- "Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008) http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html
- Two Security Vulnerabilities in the Spring Framework's MVC https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
- Best Practices for ASP.NET MVC https://web.archive.org/web/20100921074010/http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx
- Mass assignment in Rails applications https://web.archive.org/web/20090808163156/http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/
- Secure your Rails apps! https://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.