Vulnerability Details : CVE-2022-23624
Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`.
Vulnerability category: Input validation
Products affected by CVE-2022-23624
- cpe:2.3:a:frourio:frourio-express:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23624
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23624
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2022-23624
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23624
-
https://github.com/frouriojs/frourio-express/commit/73ded5c6f9f1c126c0cb2d05c0505e9e4db142d2
feat(validation): use class-transformer to support validation of nest… · frouriojs/frourio-express@73ded5c · GitHubPatch;Third Party Advisory
-
https://github.com/frouriojs/frourio-express/security/advisories/GHSA-mmj4-777p-fpq9
Class validators defined by users with frourio does not work properly for specific cases. · Advisory · frouriojs/frourio-express · GitHubThird Party Advisory
Jump to