PT-2022-16137 · Unknown+1 · Class-Validator+3
Lumakernel
·
Published
2022-02-07
·
Updated
2023-07-13
·
CVE-2022-23623
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Frourio versions prior to v0.26.0
Description
Frourio is a full stack framework for TypeScript. Users who use Frourio version prior to v0.26.0 and integrate with class-validator through the
validators/ folder are subject to an input validation issue. Validators do not work properly for request bodies and queries in specific situations, and some input is not validated at all.Recommendations
Update Frourio to v0.26.0 or later and install
class-transformer and reflect-metadata.
As a temporary workaround, consider validating objects from requests with class-transformer in controllers manually, or prevent using validators.Exploit
Fix
Prototype Pollution
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Frourio
Class-Transformer
Class-Validator
Reflect-Metadata