Skip to content

class-transformer vulnerability found in package-lock.json #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ishaileshmishra opened this issue Jun 7, 2020 · 3 comments
Closed

class-transformer vulnerability found in package-lock.json #356

ishaileshmishra opened this issue Jun 7, 2020 · 3 comments

Comments

@ishaileshmishra
Copy link

moderate severity
Vulnerable versions: <= 0.2.3
Patched version: No fix

class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
@stellar-noah
Copy link

Duplicate of #343 #340 #339
Closed by #341 #342

@saulotoledo
Copy link
Member

saulotoledo commented Jun 25, 2020
edited
Loading

@jotamorais This issue may be closed in favor of #339.

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@saulotoledo @jotamorais @ishaileshmishra @stellar-noah