Mass Assignment / Broken Object Property

the server copies every key from req.body straight onto the model, so PUT /users/me with {role:"admin"} is instant privilege escalation. ORM spread patterns, nested-object writes, array-element tampering, prototype pollution, and the allowlist/DTO fixes that actually stop it.