Class-transformer: CVE-2020-7637

Created on 8 Apr 2020  路  10Comments  路  Source: typestack/class-transformer

Report from dependabot:

Vulnerable versions: <= 0.2.3
Patched version: No fix
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.

Is this a known issue?

Most helpful comment

FYI: https://github.com/nestjs/nest/issues/4598

As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165

All 10 comments

Just ran into this same issue too.

Any chance of getting a fix for this soon?

FYI: https://github.com/nestjs/nest/issues/4598

As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165

Available fixes to be reviewed:

https://github.com/typestack/class-transformer/pull/341
https://github.com/typestack/class-transformer/pull/342

@pleerock @NoNameProvided Could you take a look on this issue?

@jotamorais Could you take a look on these? The PRs need to be carefully reviewed, but they are both small. This comment might be useful while reviewing the code.

I will review later today and post an update.
Thanks!

Any updates on this?

Nice 馃帀 I'd appreciate a new release of the plugin, so we can install the fix 馃檪

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ERPedersen picture ERPedersen  路  4Comments

taemini picture taemini  路  5Comments

AckerApple picture AckerApple  路  5Comments

gregsolo-intent picture gregsolo-intent  路  5Comments

rmindel picture rmindel  路  5Comments