• Security risk: Medium (CVSS: 4.3)
  • Vulnerability: Prevent unauthorized alteration of records on same table


In a Many-to-Many relationship, it was possible for an authenticated user to edit the foreign keys of records to transfer ownership.

Example: A Physician has many appointments with many patients. Physician 1 can create an appointment with Patient 1 via a POST as expected. Physician 1 can then update the intermediate record and change the FK of phyisicianId to that of a different physician via a PUT request.

Physician 1 will no longer be able to access the record but Physician 2 now has an appointment that wasn’t created by that physician.

Reported by

Josh West & Zach Metcalf of Super Humane via Email.

Versions affected

loopback-datasource-juggler version 2.55.3 and below ** This is a default dependency of loopback.**


Upgrade to loopback 2.39.1 or later if your repository is using an outdated loopback package.

Ensure that your application’s package.json has the following line:

"dependencies": {
   "loopback": "^2.39.1",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update
Tags: security