CVE-2019-18413

Name of the Vulnerable Software and Affected Versions class-validator versions 0.10.2 through 0.13.x

Description The validate() input validation in class-validator can be bypassed because certain internal attributes can be overwritten via a conflicting name. Although there is an optional forbidUnknownValues parameter that can reduce the risk of this bypass, it is not documented, leading most developers to configure input validation in the vulnerable default manner. This allows attackers to launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

Recommendations For class-validator versions 0.10.2 through 0.13.x, update to version 0.14.0 or later, where the default setting for forbidUnknownValues has been changed to true. As a temporary workaround, consider setting the forbidUnknownValues parameter to true to reduce the risk of input validation bypass until a patch is available.