class-transformer through 0.2.3 is vulnerable to Prototype Pollution. The ‘classToPlainFromExist’ function could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.
CPE | Name | Operator | Version |
---|---|---|---|
class-transformer | lt | 0.3.1 |
github.com/typestack/class-transformer
github.com/typestack/class-transformer/blob/a650d9f490573443f62508bc063b857bcd5e2525/src/ClassTransformer.ts#L29-L31,
github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e
nvd.nist.gov/vuln/detail/CVE-2020-7637
snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431