Broken Object Property Level Authorization Node.js (Express) [GHSA-2jf5-6wwv-vhxx]

Broken Object Property Level Authorization vulnerabilities enable attackers to access or modify data they should not be allowed to see by simply supplying an object ID or key in API requests. Real-world impacts include exposure of personal data, financial details, or other sensitive resources, which can lead to regulatory penalties, brand damage, and loss of user trust. Attackers can iteratively enumerate IDs to harvest information across accounts, and in multi-tenant apps this can escalate privileges from one user to another, undermining the confidentiality guarantees of the system. In Node.js with Express, this class of vulnerability often manifests when endpoints fetch resources by an identifier (for example, /api/orders/:orderId or /api/users/:id) and return the result without validating that the current user owns or is authorized to access that object. If authentication exists but authorization is implemented poorly or at the client side only, attackers can access or alter data belonging to others. The result can be data leaks, tampering, or denial of service for affected resources. Remediating these issues requires explicit, server-side authorization checks at the API boundary. After loading a resource, compare its owner or required permissions to the authenticated user (or enforce ownership in the database query). Prefer implementing ABAC/RBAC patterns and centralizing authorization logic in middleware or route guards. Combine with proper error handling (do not reveal sensitive details) and thorough testing to simulate unauthorized access attempts across endpoints.