CVE-2019-18413
Input Validation Bypass vulnerability in class-validator (npm)
What is CVE-2019-18413 About?
This vulnerability in TypeStack class-validator allows input validation to be bypassed by overwriting internal attributes due to conflicting names. This can lead to severe consequences like SQL Injection or XSS attacks, making its impact high. While the `forbidUnknownValues` option exists, its lack of documentation makes exploitation relatively easy for attackers.
Affected Software
Technical Details
The vulnerability in TypeStack class-validator arises from an input validation bypass mechanism within the validate() function. Attackers can exploit this by sending input that contains field names conflicting with or overwriting internal attributes of the class-validator library. Although an optional forbidUnknownValues parameter exists to mitigate this, its default setting is false and its usage is not well-documented. This lack of awareness among developers means most applications configure validation in the vulnerable default manner. By manipulating these internal attributes, an attacker can bypass the intended validation rules, allowing the injection of malicious data that can then be used to launch attacks such as SQL Injection or Cross-Site Scripting (XSS).
What is the Impact of CVE-2019-18413?
Successful exploitation may allow attackers to inject malicious code or commands, leading to SQL Injection, Cross-Site Scripting (XSS), or other forms of arbitrary code execution.
What is the Exploitability of CVE-2019-18413?
Exploitation of this vulnerability is of low complexity. It primarily requires knowledge of the validator's internal attribute names and the ability to send conflicting input. Authentication requirements are dependent on whether the input validation endpoint itself requires authentication; if not, it can be exploited by unauthenticated users. Privilege requirements are minimal, as the attack targets the input validation logic itself. This is a remote vulnerability, requiring the attacker to send specially crafted input to the application. The likelihood of exploitation is significantly increased due to the forbidUnknownValues parameter defaulting to false and its poor documentation, leading many developers to unknowingly deploy vulnerable configurations. No special conditions or constraints are noted beyond sending malicious input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-18413?
Available Upgrade Options
- class-validator
- <0.14.0 → Upgrade to 0.14.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/typestack/class-validator#passing-options
- https://github.com/typestack/class-validator/issues/438#issuecomment-964728471
- https://github.com/typestack/class-validator
- https://osv.dev/vulnerability/GHSA-fj58-h2fr-3pp2
- https://nvd.nist.gov/vuln/detail/CVE-2019-18413
- https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415
- https://github.com/typestack/class-validator/issues/438#issuecomment-964728471
- https://github.com/typestack/class-validator/issues/438
- https://github.com/typestack/class-validator/issues/438
- https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415
What are Similar Vulnerabilities to CVE-2019-18413?
Similar Vulnerabilities: CVE-2017-1000382 , CVE-2015-20107 , CVE-2021-25983 , CVE-2020-13092 , CVE-2023-28198
