SQL Injection and Cross-site Scripting in class-validator - '^0.12.2' #40
Comments
|
Hi @kalyangoud145, Thanks for flagging this! I’m on it and will be releasing an updated version of ngx-reactive-form-class-validator this week, aligning it with class-validator ^0.14.0 to address the security issue you mentioned. Stay tuned, and I’ll make sure you can update seamlessly. Appreciate your vigilance and patience! |
abarghoud
added a commit
that referenced
this issue
Jun 24, 2024
…-dependency Change class-validator peer dependency to include version ^0.14.0 that fixes a critical security issue
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers ### configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.
The default settings for forbidUnknownValues has been changed to true in 0.14.0.
Is there any plan to update the version of class-validator form v0.12.2 to v0.14.0( or latest version)
The text was updated successfully, but these errors were encountered: