How to Fix Broken Object Level Authorization in Node.js (Express) [March 2026] [CVE-1999-0967]

Historically, CVE-1999-0967 described a buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. The flaw arose from unsafe handling of resource identifiers and memory management in that component, allowing an attacker to cause memory corruption and potentially execute arbitrary code on affected systems. While this vulnerability predates modern web servers and Node.js, it underscores the danger of unsafe resource handling and inadequate validation of inputs that originate outside the application. In modern web applications, Broken Object Level Authorization (BOLA) occurs when an API endpoint exposes per-object data without verifying that the requester is allowed to access that specific object. For example, a route that returns /items/:id without checking ownership or ACLs can let an attacker enumerate IDs and retrieve data belonging to other users. This class of vulnerability leads to data leakage, privilege escalation, and violations of access control policies. To fix this in Node.js/Express, you must enforce per-object authorization checks, validate that the authenticated user has rights to the specific object, and avoid leaking object ownership details through identifiers or responses. Implementing deny-by-default, using scoped DB queries, and applying RBAC/ABAC patterns are essential for robust protection. In practice, combine authentication with explicit object-level checks and comprehensive testing to prevent regressions.