Описание
Prototype pollution in class-transformer
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-7637
- https://github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e
- https://github.com/typestack/class-transformer/blob/a650d9f490573443f62508bc063b857bcd5e2525/src/ClassTransformer.ts#L29-L31,
- https://snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431
Пакеты
Наименование
class-transformer
npm
Затронутые версииВерсия исправления
< 0.3.1
0.3.1
Связанные уязвимости
CVSS3: 5.3
nvd
почти 6 лет назад
class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.