7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31140

GHSA ID

GHSA-5pgm-3j3g-2rc7

EPSS Score

0.33459%

CWE

CWE-200

Published

7/12/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31140

CVE-2022-31140: Valinor error messages leading to potential data exfiltration before v0.12.0

<?php

namespace My\App;

use CuyZ\Valinor\Mapper\MappingError;
use CuyZ\Valinor\Mapper\Tree\Node;
use CuyZ\Valinor\Mapper\Tree\NodeTraverser;
use CuyZ\Valinor\MapperBuilder;

require_once __DIR__ . '/Valinor/vendor/autoload.php';

final class Money
{
    private function __construct(public readonly string $amount)
    {
    }

    public static function fromString(string $money): self
    {
        if (1 !== \preg_match('/^\d+ [A-Z]{3}$/', $money)) {
            throw new \InvalidArgumentException(\sprintf('Given "%s" is not a recognized monetary amount', $money));
        }
        
        return new self($money);
    }
}

class Foo
{
    public function __construct(
        private readonly Money $a,
        private readonly Money $b,
        private readonly Money $c,
    ) {}
}

$mapper = (new MapperBuilder())
    ->registerConstructor([Money::class, 'fromString'])
    ->mapper();

try {
    var_dump($mapper->map(Foo::class, [
        'a' => 'HAHA',
        'b' => '100 EUR',
        'c' => 'USD 100'
    ]));
} catch (MappingError $e) {
    $messages = (new NodeTraverser(function (Node $node) {
        foreach ($node->messages() as $message) {
            var_dump([
                '$message',
                $message->path(),
                $message->body()
            ]);
        }
        return '';
    }))->traverse($e->node());

    iterator_to_array($messages);
}

Now, this is quite innocent: it produces following output:

❯ php value-object-conversion.php
array(3) {
  [0]=>
  string(8) "$message"
  [1]=>
  string(1) "a"
  [2]=>
  string(48) "Given "HAHA" is not a recognized monetary amount"
}
array(3) {
  [0]=>
  string(8) "$message"
  [1]=>
  string(1) "c"
  [2]=>
  string(51) "Given "USD 100" is not a recognized monetary amount"
}

The problem is that nowhere I told valinor that it could use Throwable#getMessage().

This is a problem with cases where you get:

an SQL exception showing an SQL snippet
a DB connection exception showing DB ip address/username/password
a timeout detail / out of memory detail (exploring DDoS possibilities)

This allows for potential data exfiltration, DDoS, enumeration attacks, etc.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31140

GHSA ID

GHSA-5pgm-3j3g-2rc7

EPSS Score

0.33459%

CWE

CWE-200

Published

7/12/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cuyz/valinor	composer	< 0.12.0	0.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because Valinor's error handling system included exception messages from userland code (e.g., Money::fromString) in error outputs by default. The Message::body() method directly exposes these messages via Throwable::getMessage(), which could contain sensitive data. The fix in 0.12.0 introduced explicit filtering via MapperBuilder::filterExceptions(), confirming that the root cause was unvalidated exposure of exception messages through this method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

```p*p <?p*p n*m*sp*** My\*pp; us* *uyZ\V*linor\M*pp*r\M*ppin**rror; us* *uyZ\V*linor\M*pp*r\Tr**\No**; us* *uyZ\V*linor\M*pp*r\Tr**\No**Tr*v*rs*r; us* *uyZ\V*linor\M*pp*r*uil**r; r*quir*_on** __*IR__ . '/V*linor/v*n*or/*utolo**.p*p'; *in*l *l*ss

Reasoning

T** vuln*r**ility *ris*s ****us* V*linor's *rror **n*lin* syst*m in*lu*** *x**ption m*ss***s *rom us*rl*n* *o** (*.*., `Mon*y::*romStrin*`) in *rror outputs *y ****ult. T** `M*ss***::*o*y()` m*t*o* *ir**tly *xpos*s t**s* m*ss***s vi* `T*row**l*::**tM

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31140: Valinor error messages leading to potential data exfiltration before v0.12.0

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI