Name of the Vulnerable Software and Affected Versions cuyz/valinor versions 0.5.0 through 0.6.x

Description The issue arises when upgrading from an older system to a newer one, which can lead to the wrong constructor being picked. A security concern is present, similar to a known issue in Rails. This can be exploited using a malicious payload, potentially leading to database compromise. For example, a UserDTO class can be exploited when mixed with the vulnerable cuyz/valinor version. The exploitation can occur through various input formats, such as JSON, HTML, or x-form-urlencoded. The treeMapper->map function can be used with a malicious payload to execute arbitrary database commands.

Recommendations For cuyz/valinor versions 0.5.0 through 0.6.x, update to version 0.7.0, which contains a patch for this issue. As a temporary workaround, consider disabling automatic named constructor resolution and only use explicitly mapped named constructors. Restrict access to the treeMapper->map function to minimize the risk of exploitation. Avoid using the connection and id variables in the affected API endpoint until the issue is resolved.