9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-18413

GHSA ID

GHSA-fj58-h2fr-3pp2

EPSS Score

0.30925%

CWE

CWE-79

Published

10/12/2021

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-18413

CVE-2019-18413: SQL Injection and Cross-site Scripting in class-validator

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-18413

GHSA ID

GHSA-fj58-h2fr-3pp2

EPSS Score

0.30925%

CWE

CWE-79

Published

10/12/2021

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
class-validator	npm	< 0.14.0	0.14.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from the validate() function's default handling of unknown values. Before v0.14.0, forbidUnknownValues defaulted to false, allowing attackers to submit payloads with properties that conflict with internal validation metadata (like constructor properties). This is explicitly demonstrated in GitHub Issue #438's PoC where proto injection bypasses validation. The validate() function is the primary entry point for validation and its default configuration was the root cause. The vulnerability was resolved in v0.14.0 by changing the default forbidUnknownValues to true, confirming this function's central role in the security issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Typ*St**k *l*ss-v*li**tor, `v*li**t*()` input v*li**tion **n ** *yp*ss** ****us* **rt*in int*rn*l *ttri*ut*s **n ** ov*rwritt*n vi* * *on*li*tin* n*m*. *v*n t*ou** t**r* is *n option*l `*or*i*UnknownV*lu*s` p*r*m*t*r t**t **n ** us** to r**u** t**

Reasoning

T** *or* vuln*r**ility st*ms *rom t** v*li**t*() *un*tion's ****ult **n*lin* o* unknown v*lu*s. ***or* v*.**.*, *or*i*UnknownV*lu*s ****ult** to **ls*, *llowin* *tt**k*rs to su*mit p*ylo**s wit* prop*rti*s t**t *on*li*t wit* int*rn*l v*li**tion m*t**

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-18413: SQL Injection and Cross-site Scripting in class-validator

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI