Flagsmith
fix: prevent IDOR vulnerability in environment update endpoint
Thanks for submitting a PR! Please check the boxes below:
- [ ] I have added information to
docs/if required so people know about the feature! - [x] I have filled in the "Changes" section below?
- [x] I have filled in the "How did you test this code" section below?
- [x] I have used a Conventional Commit title for this Pull Request
Changes
Make the project field read-only during environment updates to prevent attackers from moving an environment to a different project they don't own.
The vulnerability allowed an attacker with access to their own environment to modify the project field in the PUT request body, effectively moving their environment into a victim's project.
Fix: Override init in CreateUpdateEnvironmentSerializer to set project field as read-only when instance exists (update operation).
How did you test this code?
Adds unit test
The latest updates on your projects. Learn more about Vercel for GitHub.
3 Skipped Deployments
| Project | Deployment | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| docs |  Ignored |
Preview | Dec 8, 2025 11:39am | |
| flagsmith-frontend-preview | Ignored |
Preview | Dec 8, 2025 11:39am | |
| flagsmith-frontend-staging | Ignored |
Preview | Dec 8, 2025 11:39am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Docker builds report
| Image | Build Status | Security report |
|---|---|---|
ghcr.io/flagsmith/flagsmith-api-test:pr-6384 |
Finished :white_check_mark: | Skipped |
ghcr.io/flagsmith/flagsmith-e2e:pr-6384 |
Finished :white_check_mark: | Skipped |
ghcr.io/flagsmith/flagsmith-frontend:pr-6384 |
Finished :white_check_mark: | Results :white_check_mark: |
ghcr.io/flagsmith/flagsmith-api:pr-6384 |
Finished :white_check_mark: | Results :white_check_mark: |
ghcr.io/flagsmith/flagsmith:pr-6384 |
Finished :white_check_mark: | Results :white_check_mark: |
ghcr.io/flagsmith/flagsmith-private-cloud:pr-6384 |
Finished :white_check_mark: | Results :white_check_mark: |
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 98.02%. Comparing base (f7ca9cd) to head (d29b554).
:warning: Report is 3 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #6384 +/- ##
=======================================
Coverage 98.02% 98.02%
=======================================
Files 1282 1282
Lines 45498 45514 +16
=======================================
+ Hits 44600 44617 +17
+ Misses 898 897 -1
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}