CVE-2020-7637

Report from dependabot:

Vulnerable versions: <= 0.2.3
Patched version: No fix
class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The 'classToPlainFromExist' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.

Is this a known issue?

[ruucci]

Just ran into this same issue too.

[FryDay]

Any chance of getting a fix for this soon?

[angristan]

FYI: nestjs/nest#4598

As for this vulnerability, Nest handles this issue internally for several months already so our users shouldn't be affected. https://github.com/nestjs/nest/blob/master/packages/common/pipes/validation.pipe.ts#L159-L165

[saulotoledo]

Available fixes to be reviewed:

#341
#342

@pleerock @NoNameProvided Could you take a look on this issue?

[saulotoledo]

@jotamorais Could you take a look on these? The PRs need to be carefully reviewed, but they are both small. This comment might be useful while reviewing the code.

[jotamorais]

I will review later today and post an update.
Thanks!

[FryDay]

Any updates on this?

[jotamorais]

Issue fixed via #367

[BorntraegerMarc]

Nice 🎉 I'd appreciate a new release of the plugin, so we can install the fix 🙂