Skip to main content

Insecure object reference - User deletion


The system does not have protections that prevent the removal of users from the application, leaving it inoperative and affecting its integrity to a high degree. It is even evident that once the user is deleted, the session is not deleted and still allows the user to continue browsing, which should also be corrected.


  • Remove all users from the platform.
  • Affect other processes and connections that depend on the existence of users.


The respective controls must be established to mitigate any functionality that is foreign to the current role.


Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: H


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:X/RL:X/RC:X
  • Score:
    • Base: 7.1
    • Temporal: 7.1
  • Severity:
    • Base: High
    • Temporal: High

Code Examples

Compliant code

All inputs are correctly validated on the server side

router.delete('/delete/:username', (req, res) => {
const { username, password} = req.params;
const isUserAuthorized(username, password);
if isUserAuthorized{
db.collection('username').findOneAndDelete({username: username},
(err, result) => {
if (err) return res.send(500, err);
if (result) deleteSessionToken(username);
res.send(500, "You do not have the required permissions for that action");

Non compliant code

The user input is not validated on the server side, which could potentially allow all users to be deleted

router.delete('/delete/:username', (req, res) => {
const { username } = req.params;
db.collection('username').findAndDelete({username: username},
(err, result) => {
if (err) return res.send(500, err);