Stealing Admin Access via Mass Assignment Vulnerability in Next.js E-Commerce App

A security lab named OopsSec Store, a vulnerable e-commerce application developed in Next.js, allows obtaining administrator access by exploiting a mass assignment flaw. During registration, adding an unvalidated JSON field ("role": "ADMIN") in the POST request bypasses backend controls, granting elevated privileges to a standard user account. The vulnerability stems from blind trust in client-side data without filtering sensitive fields. The lab, available via npx create-oss-store, runs locally on http://localhost:3000 and includes a flag to validate the exploit. The article notes that this flaw has been observed in real-world APIs and SaaS products.