Broken Object Property Level Authorization Node.js (Express) [GHSA-wprj-9cvc-5w37]

BOPLA vulnerabilities in Node.js (Express) allow attackers to access or modify resources that do not belong to them by manipulating IDs or resource properties. They occur when access checks are lax or when the server trusts client-provided state to decide authorization. In Node.js/Express apps, this often shows up as endpoints that fetch or update resources by ID without confirming ownership, or that allow updating ownership-like fields (for example ownerId) via request bodies. The authorization decision should be made on server-side resource ownership, not based on client-supplied values. Exploit vectors include querying by a predictable ID or submitting requests that include owner-like fields, effectively bypassing per-user access controls. Attackers may read sensitive data, or alter resources to impersonate another user, leading to data leakage or privilege escalation. Mitigation requires explicit resource ownership checks, a strict update whitelist, and rejecting any client-supplied ownership changes; ensure that every read/update/delete path uses a query predicate that ties the resource to the authenticated user.