In apps/backend/src/routes/cards.ts, the PUT /:id endpoint accepts linkIds and creates CardLink records without verifying that the provided platformLinkId values belong to the authenticated user:
await app.prisma.cardLink.createMany({
data: parsed.data.linkIds.map((linkId, index) => ({
cardId: id,
platformLinkId: linkId, // ← never verified this belongs to userId
displayOrder: index,
})),
});An attacker who knows another user's platformLinkId UUID can add that user's links to their own card, effectively stealing their profile link data.
Proposed fix
Before creating CardLinks, verify all provided linkIds belong to the current user:
const validLinks = await app.prisma.platformLink.findMany({
where: { id: { in: parsed.data.linkIds }, userId },
});
if (validLinks.length !== parsed.data.linkIds.length) {
return reply.status(403).send({ error: 'One or more links do not belong to you' });
}Files to touch
apps/backend/src/routes/cards.ts
GSSoC 2026 — Assignment Request
I would like to work on this issue as part of GirlScript Summer of Code 2026 (GSSoC'26). I have reviewed the codebase and understand the root cause and the fix required.
Could you please assign this issue to me?
GitHub: @MehtabSandhu11
Thank you!
In
apps/backend/src/routes/cards.ts, the PUT/:idendpoint acceptslinkIdsand createsCardLinkrecords without verifying that the providedplatformLinkIdvalues belong to the authenticated user:An attacker who knows another user's
platformLinkIdUUID can add that user's links to their own card, effectively stealing their profile link data.Proposed fix
Before creating CardLinks, verify all provided linkIds belong to the current user:
Files to touch
apps/backend/src/routes/cards.tsGSSoC 2026 — Assignment Request
I would like to work on this issue as part of GirlScript Summer of Code 2026 (GSSoC'26). I have reviewed the codebase and understand the root cause and the fix required.
Could you please assign this issue to me?
GitHub: @MehtabSandhu11
Thank you!