Privilege escalation is authorization-bypass with intent. The user finds an endpoint or input field that controls their own access level — a role parameter accepted by the user-update API, a is_admin flag in a profile JSON the server happily merges, an admin route guarded by a check on the wrong header.
Mass-assignment is the modern recurring shape. A REST handler Object.assign(user, req.body) writes every field the client sent, including the ones the developer didn't intend to expose. The fix is an explicit allowlist of writable fields per role.
The classical shape lives on too: vertical privilege escalation (regular user becomes admin), horizontal privilege escalation (user A acts as user B), and "second-order" privilege escalation where a low-privilege action lands data that a higher-privilege flow later trusts.
Review heuristic
Every endpoint that updates a user-owned object needs an explicit allowlist of fields it accepts. Object.assign and equivalents on raw request bodies are the smoking gun.
External reference
CWE-269: Improper Privilege Management — the canonical industry classification for this bug class. Useful when filing tickets, writing security policies, or arguing with a static analyzer.