Miggo Logo
Miggo Vulnerability Database
CVE-2020-7637

CVE-2020-7637: Prototype pollution in class-transformer

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7637
GHSA ID
GHSA-6gp3-h3jj-prx4
EPSS Score
0.54282%
CWE
CWE-915
Published
4/7/2020
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
class-transformernpm< 0.3.10.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE/GHSA explicitly names 'classToPlainFromExist' as the vulnerable entry point.
  2. The patch adds key filtering for 'proto' and 'constructor' in TransformOperationExecutor.ts, which is invoked by classToPlainFromExist.
  3. The added test cases directly target classToPlainFromExist with prototype pollution payloads.
  4. The vulnerability manifests when processing nested objects during transformation, which is handled by this function's execution flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*ss-tr*ns*orm*r t*rou** *.*.* is vuln*r**l* to Prototyp* Pollution. T** '*l*ssToPl*in*rom*xist' *un*tion *oul* ** tri*k** into ***in* or mo*i*yin* prop*rti*s o* 'O*j**t.prototyp*' usin* * '__proto__' p*ylo**.

Reasoning

*. T** *V*/**S* *xpli*itly n*m*s '*l*ssToPl*in*rom*xist' *s t** vuln*r**l* *ntry point. *. T** p*t** ***s k*y *ilt*rin* *or '__proto__' *n* '*onstru*tor' in Tr*ns*ormOp*r*tion*x**utor.ts, w*i** is invok** *y *l*ssToPl*in*rom*xist. *. T** ***** t*st *