When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
- Severity:
- Medium
Description
If you used the apiPrefilter option of the @Entity decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id of an entity instance she is not authorized to access, can gain read, update and delete access to it.
Recommendation
Update the remult package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.20.6
- Patched version(s): 0.20.6
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
- Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer - CVE-2023-41058
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
- Tags:
- npm
- remult
Anything's wrong? Let us know Last updated on November 09, 2023