Also known as: Insecure Direct Object Reference
Definition
IDOR (Insecure Direct Object Reference) is a vulnerability class where an application uses a user-supplied identifier (such as a userId or recordId) to look up data without verifying the requester is authorized to access that specific object. IDOR is the most common Server Action bug in AI-generated Next.js code.
IDOR happens when a Server Action accepts an identifier from the request payload and uses it directly in a database query. The classic shape is updateProfile({ userId, ...fields }): the action trusts userId from the form and updates that row. An attacker submits the victim's userId and the action dutifully overwrites the victim's profile.
Derive identity from the validated session, never from the request payload. The canonical pattern is: const user = await getUser(), then .eq('id', user.id) in the query. The session cookie is the source of truth for "who is this user?" because it carries a signed JWT that cannot be forged.
A01 Broken Access Control. The 2025 edition is the eighth in a row where Broken Access Control sits at #1. IDOR is one of the canonical examples in the OWASP cheat sheet. The defense is structural: in Next.js, never accept user IDs from the request, always read them from getClaims() or getUser().