A route handler that does const body = await request.json() and passes the result straight to Prisma, Supabase, or a raw SQL call is trusting whatever the client sends — including type mismatches, unexpected fields, oversized payloads, and deliberately malformed structures. Without a schema parse in front, attackers can submit extra fields that the ORM happily writes (mass-assignment), coerce types to trigger errors that leak stack traces, or send payloads large enough to DoS the JSON parser. AI coding tools consistently skip this step — they'll generate a handler that destructures the request body, use the fields immediately, and move on, because the happy path works and validation adds visible line count. Zod / Yup / Valibot / Pydantic aren't hard to add; they just get forgotten.
High when any database-writing handler skips validation because mass-assignment and type-coercion bugs follow directly; elevated above medium because a single unvalidated write endpoint is typically enough to compromise data integrity.
Define a Zod schema and parse at the top of every handler:
const Body = z.object({ email: z.string().email(), name: z.string().min(1).max(120) })
const body = Body.parse(await request.json())
// use body.email, body.name
Deeper remediation guidance and cross-reference coverage for this check lives in the security-hardening Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.
project-snapshot.injection.user-input-validatedhigh"Found N handlers that consume request data; M validate via {library list}. Validation rate: M/N = X%.""4 of 12 API handlers parse request body without Zod/Yup validation; 1 of those writes to the database (app/api/comments/route.ts)".const Body = z.object({ email: z.string().email(), name: z.string().min(1).max(120) })
const body = Body.parse(await request.json())
// use body.email, body.name