Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-7637 #339

Closed
ghost opened this issue Apr 8, 2020 · 10 comments
Closed

CVE-2020-7637 #339

ghost opened this issue Apr 8, 2020 · 10 comments

Comments

@ghost
Copy link

ghost commented Apr 8, 2020

Report from dependabot:

Vulnerable versions: <= 0.2.3
Patched version: No fix
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.

Is this a known issue?
@ruucci
Copy link

ruucci commented Apr 14, 2020

Just ran into this same issue too.

@FryDay
Copy link

FryDay commented Apr 15, 2020

Any chance of getting a fix for this soon?

@angristan
Copy link

FYI: nestjs/nest#4598

As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165

@ghost ghost mentioned this issue May 3, 2020
Closed
@saulotoledo
Copy link
Member

saulotoledo commented May 13, 2020
edited

Available fixes to be reviewed:

#341
#342

@pleerock @NoNameProvided Could you take a look on this issue?

@saulotoledo saulotoledo mentioned this issue May 13, 2020
Closed
@stellar-noah stellar-noah mentioned this issue Jun 8, 2020
Closed
@saulotoledo
Copy link
Member

@jotamorais Could you take a look on these? The PRs need to be carefully reviewed, but they are both small. This comment might be useful while reviewing the code.

@jotamorais
Copy link
Member

I will review later today and post an update.
Thanks!

@jotamorais jotamorais mentioned this issue Jun 29, 2020
Merged
@FryDay
Copy link

FryDay commented Jul 7, 2020

Any updates on this?

@jotamorais
Copy link
Member

Issue fixed via #367

@BorntraegerMarc
Copy link

Nice 🎉 I'd appreciate a new release of the plugin, so we can install the fix 🙂

tjhiggins pushed a commit to architect-team/architect-cli that referenced this issue Aug 1, 2020
Fixes class-transformer vul
0001ed7 
typestack/class-transformer#339
@devin-fee-ah devin-fee-ah mentioned this issue Aug 12, 2020
Closed
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@FryDay @saulotoledo @jotamorais @BorntraegerMarc @angristan @ruucci