Prototype pollution in class-transformer

Severity:: Medium

Description

class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The ‘classToPlainFromExist’ function could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.

Recommendation

Update the class-transformer package to the latest compatible version. Followings are version details:

Affected version(s): < 0.3.1
Patched version(s): 0.3.1

References

GHSA-6gp3-h3jj-prx4
snyk.io
CVE-2020-7637
CWE-1321
CWE-915
CAPEC-310
OWASP 2021-A6
OWASP 2021-A8

Related Issues

Prototype Pollution in asciitable.js - CVE-2020-7771
Prototype Pollution in systeminformation - CVE-2020-26245
TypeORM vulnerable to MAID and Prototype Pollution - CVE-2020-8158
shvl vulnerable to prototype pollution - CVE-2020-28278

Tags:: npm; class-transformer

Anything's wrong? Let us know Last updated on January 27, 2023