Report from dependabot:
Vulnerable versions: <= 0.2.3
Patched version: No fix
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
Is this a known issue?
Just ran into this same issue too.
Any chance of getting a fix for this soon?
FYI: https://github.com/nestjs/nest/issues/4598
As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165
Available fixes to be reviewed:
https://github.com/typestack/class-transformer/pull/341
https://github.com/typestack/class-transformer/pull/342
@pleerock @NoNameProvided Could you take a look on this issue?
@jotamorais Could you take a look on these? The PRs need to be carefully reviewed, but they are both small. This comment might be useful while reviewing the code.
I will review later today and post an update.
Thanks!
Any updates on this?
Issue fixed via https://github.com/typestack/class-transformer/pull/367
Nice 馃帀 I'd appreciate a new release of the plugin, so we can install the fix 馃檪
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Most helpful comment
FYI: https://github.com/nestjs/nest/issues/4598