This means that the JSON Schema does not limit the properties that can be passed to the API. By default, the JSON Schema specification allows additional properties, which can lead to security vulnerabilities like mass assignment issues, where unspecified or unauthorized fields are passed to the API. This situation can allow attackers to send unexpected data, potentially altering application behavior or providing access to unauthorized operations, as these additional properties may be processed without validation.
An API endpoint for updating user profiles allows additional properties due to the lack of constraints. An attacker sends a request body with unauthorized fields, such as an isAdmin flag or another user’s userId, exploiting the API’s mass assignment vulnerability. If these additional properties are processed and written to the database, the attacker could escalate privileges or manipulate other user data.
