Broken Object Property Level Authorization Node.js (Express) [GHSA-58r7-4wr5-hfx8]

Broken Object Property Level Authorization (BOPO) in Node.js Express enables attackers to access or modify data they should not reach by exploiting insufficient checks on individual resource properties. In production, this can lead to exposure of sensitive user data, privilege escalation, or unintended changes to configuration or audit fields. When an API returns a resource with all its fields, including secrets or metadata, an authenticated attacker can infer or harvest information that should be restricted to the owner or privileged roles. In Express apps, BOPO vulnerabilities often arise when endpoints enforce only object-level access (e.g., ownership of a document) but omit property-level checks or field filtering. For example, a route may fetch a record by ID and serialize the entire object, letting an attacker retrieve sensitive fields or even alter properties client-side in subsequent requests. Such patterns are common when using ORMs or direct queries without explicit projection or a robust authorization layer. Mitigation involves implementing a centralized authorization policy and applying it consistently at route or middleware level. Enforce both object- and field-level access, project queries to strip restricted fields, and return only whitelisted properties. Prefer explicit checks against req.user and resource ownership, and use per-property guards or data shaping to guarantee compliance. Testing and observability are essential: add unit/integration tests that simulate users with different roles and owners, verify 403/401 responses, and confirm that no restricted fields are serialized. Audit logs and alerting for unauthorized access attempts help detect regressions before deployment.