Skip to content

Unvalidated vote direction allows vote count manipulation

High
andr3i1010 published GHSA-ghpx-5w2p-p3qp Jan 29, 2026

Package

polarlearn (Website)

Affected versions

<= v0-PRERELEASE-14

Patched versions

>= v0-PRERELEASE-15

Description

The vote API route (POST /api/v1/forum/vote) trusts the JSON body’s direction value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., "x") as direction. Downstream (VoteServer) treats any non-"up" and non-null value as a downvote and persists the invalid value in votes_data. This can be exploited to bypass intended business logic.

Exploitation

An authenticated attacker can repeatedly alternate requests to manipulate vote counts:

  1. POST /api/v1/forum/vote with { "postId": "<victim>", "direction": "x" } (decrements votes by 1)
  2. POST /api/v1/forum/vote with { "postId": "<victim>", "direction": null } (removes the recorded vote but does not restore the vote count due to the invalid stored value)

Repeating this cycle allows a single user to indefinitely decrease a post’s vote count while bypassing normal per-user vote tracking.

Impact

  • Integrity loss for forum rankings and vote-based reputation systems.
  • Business logic can be bypassed, allowing unauthorized manipulation of post scores.

Recommendations

  • Implement strict runtime validation of the direction field to only accept "up", "down", or null; reject all other values with HTTP 400.
  • Validate postId format/length (e.g., UUID) before passing it to VoteServer.
  • Harden downstream logic in VoteServer to treat any unknown stored vote as null and avoid persisting unexpected values.

Impacted Code

const body: VoteRequestBody = await request.json()
const { postId, direction } = body

// Call the existing server action
const result = await VoteServer(postId, direction)

References

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CVE ID

No known CVE

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Credits