Mass Assignment Vulnerability in Expensetracker Exposes createExpense Endpoint to Data Manipulation

A critical mass assignment vulnerability has been identified in the expensetracker application, specifically within the createExpense endpoint at ExpenseController.java:52. The flaw allows an attacker to inject additional request body fields—such as 'user' or 'id'—that the application does not explicitly expect, effectively bypassing intended input controls and manipulating entity relationships or database identifiers. The vulnerability, cataloged under ID caecb5817a3c, carries a HIGH severity rating and stems from direct binding of user input to the Expense entity without any field filtering or validation layer.

The exposure exists because the current implementation lacks a dedicated Data Transfer Object (DTO) to constrain which fields are settable by external requests. Instead, the endpoint accepts the full request payload and maps it onto the Expense model, permitting any attribute present in the request to overwrite corresponding entity properties—including those that should be system-assigned or restricted to administrative logic. This pattern is a well-documented vector for privilege escalation and data integrity compromise in Java-based web applications using frameworks that perform automatic property binding.

The implications extend beyond a single misconfigured endpoint. Applications relying on similar direct-entity binding patterns face comparable risk. Attackers exploiting this flaw could potentially assign expenses to other users, modify internal IDs to access unrelated records, or alter timestamps and approval states that should be server-controlled. Security researchers have flagged the use of purpose-built DTOs as the standard remediation, isolating public-facing inputs from internal entity structures. The vulnerability remains open pending classification as a false positive or implementation of the recommended fix.