Prototype pollution in class-transformer

Description

class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The ‘classToPlainFromExist’ function could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.

Recommendation

Update the class-transformer package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.3.1
• Patched version(s): 0.3.1

References

• GHSA-6gp3-h3jj-prx4
• snyk.io
• CVE-2020-7637
• CWE-1321
• CWE-915
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A8

Related Issues

• Prototype pollution in pathval - CVE-2020-7751
• Prototype pollution in gsap - CVE-2020-28478
• Prototype Pollution in js-data - CVE-2020-28442
• Prototype Pollution in lodash - lodash.update - CVE-2020-8203

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

class-transformer