Miggo Logo

CVE-2020-7637: Prototype pollution in class-transformer

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.54282%
Published
4/7/2020
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
class-transformernpm< 0.3.10.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE/GHSA explicitly names 'classToPlainFromExist' as the vulnerable entry point.
  2. The patch adds key filtering for 'proto' and 'constructor' in TransformOperationExecutor.ts, which is invoked by classToPlainFromExist.
  3. The added test cases directly target classToPlainFromExist with prototype pollution payloads.
  4. The vulnerability manifests when processing nested objects during transformation, which is handled by this function's execution flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*ss-tr*ns*orm*r t*rou** *.*.* is vuln*r**l* to Prototyp* Pollution. T** '*l*ssToPl*in*rom*xist' *un*tion *oul* ** tri*k** into ***in* or mo*i*yin* prop*rti*s o* 'O*j**t.prototyp*' usin* * '__proto__' p*ylo**.

Reasoning

*. T** *V*/**S* *xpli*itly n*m*s '*l*ssToPl*in*rom*xist' *s t** vuln*r**l* *ntry point. *. T** p*t** ***s k*y *ilt*rin* *or '__proto__' *n* '*onstru*tor' in Tr*ns*ormOp*r*tion*x**utor.ts, w*i** is invok** *y *l*ssToPl*in*rom*xist. *. T** ***** t*st *