Prototype pollution in class-transformer

Description

class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The ‘classToPlainFromExist’ function could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.

Recommendation

Update the class-transformer package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.3.1
• Patched version(s): 0.3.1

References

• GHSA-6gp3-h3jj-prx4
• snyk.io
• CVE-2020-7637
• CWE-1321
• CWE-915
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A8

Related Issues

• Prototype Pollution in systeminformation - CVE-2020-26245
• shvl vulnerable to prototype pollution - CVE-2020-28278
• Prototype Pollution in highlight.js - CVE-2020-26237
• Prototype Pollution in asciitable.js - CVE-2020-7771

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

class-transformer