Mass Assignment Vulnerability in ExpenseTracker createExpense Endpoint Enables Cross-User Data Manipulation

A medium-severity mass assignment vulnerability has been identified in the ExpenseTracker application, exposing a critical flaw in how user input is processed during expense creation. The vulnerability allows attackers to manipulate sensitive fields that should remain server-controlled, potentially enabling cross-user expense assignment and unauthorized data overwrites.

The flaw resides in ExpenseController.java at line 52, where the createExpense endpoint binds the entire HTTP request body directly to the Expense entity without field-level restrictions. This design oversight means that the 'user' relationship field and 'id' field become mutable by any client submitting requests to the endpoint. An attacker exploiting this weakness could assign expenses to arbitrary user accounts by injecting the 'user' field, or attempt to overwrite existing expense records by manipulating the 'id' parameter. The vulnerability stems from the absence of a Data Transfer Object (DTO) layer that would explicitly whitelist which fields clients are permitted to modify.

The implications for applications handling financial data are significant. Mass assignment vulnerabilities in expense tracking systems could enable fraudulent record creation, audit trail manipulation, and unauthorized access to other users' financial data. The recommended remediation involves implementing a dedicated ExpenseDTO that exposes only intended fields—title, amount, category, date, and description—while mapping validated DTOs to entities server-side. This architectural pattern ensures that sensitive relationship fields and primary keys remain under application control. Organizations deploying similar Spring Boot applications with direct entity binding should audit their controllers for comparable exposure, as this class of vulnerability remains a common oversight in REST API implementations.