CVE-2020-7637
Description
class-transformer before 0.3.1 is vulnerable to prototype pollution via the classToPlainFromExist function, allowing attackers to modify Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
class-transformer before 0.3.1 is vulnerable to prototype pollution via the classToPlainFromExist function, allowing attackers to modify Object.prototype.
Vulnerability
Overview
CVE-2020-7637 is a prototype pollution vulnerability in the class-transformer library for JavaScript/TypeScript, affecting versions before 0.3.1. The flaw resides in the classToPlainFromExist function, which can be tricked into adding or modifying properties of Object.prototype using a payload containing __proto__ [1][2]. Prototype pollution occurs when an attacker injects properties into an object's prototype chain, typically by leveraging __proto__, constructor, or prototype attributes [3].
Exploitation
The vulnerability can be triggered when untrusted input is passed to the classToPlainFromExist function. The attacker supplies a payload that includes __proto__ as a property key, causing the library to assign values to Object.prototype [4]. This does not require authentication if the attacker can control the input to this function, which may be the case in serialization or deserialization scenarios common in API endpoints or data parsing [1][3].
Impact
Successful exploitation allows an attacker to pollute the global object prototype, leading to property injection across all JavaScript objects in the runtime. This can result in denial of service via unexpected exceptions or, in more severe cases, remote code execution if the polluted properties affect application logic [3]. The impact depends on how the application uses the polluted properties; for example, assigning functions or values that are later executed can lead to code injection.
Mitigation
The vulnerability is patched in class-transformer version 0.3.1 and later. Users should upgrade to the latest version to prevent prototype pollution attacks [1][2]. No known workarounds are available other than validating or sanitizing input that is passed to the affected function.
- GitHub - typestack/class-transformer: Decorator-based transformation, serialization, and deserialization between objects and classes.
- NVD - CVE-2020-7637
- Snyk Vulnerability Database | Snyk
- class-transformer/src/ClassTransformer.ts at a650d9f490573443f62508bc063b857bcd5e2525 · typestack/class-transformer
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
class-transformernpm | < 0.3.1 | 0.3.1 |
Affected products
2- class-transformer/class-transformerdescription
Patches
18f04eb9db02dFix prototype pollution vulnerabilities
2 files changed · +18 −0
src/TransformOperationExecutor.ts+4 −0 modified@@ -145,6 +145,10 @@ export class TransformOperationExecutor { // traverse over keys for (const key of keys) { + if (key === '__proto__' || key === 'constructor') { + continue; + } + const valueKey = key; let newValueKey = key, propertyName = key; if (!this.options.ignoreDecorators && targetType) {
test/functional/basic-functionality.spec.ts+14 −0 modified@@ -1749,6 +1749,20 @@ describe("basic functionality", () => { expect(transformedClass).toBeInstanceOf(TestClass); }); + it('should not pollute the prototype with a `__proto__` property',() => { + const object = JSON.parse('{"__proto__": { "admin": true }}'); + const plainObject = {}; + classToPlainFromExist(object, plainObject); + expect((plainObject as any).admin).toEqual(undefined); + }); + + it('should not pollute the prototype with a `constructor.prototype` property', () => { + const object = JSON.parse('{"constructor": { "prototype": { "admin": true }}}'); + const plainObject = {}; + classToPlainFromExist(object, plainObject); + expect((plainObject as any).admin).toEqual(undefined); + }); + it("should default union types where the plain type is an array to an array result", () => { class User { name: string;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6gp3-h3jj-prx4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7637ghsaADVISORY
- github.com/typestack/class-transformer/blob/a650d9f490573443f62508bc063b857bcd5e2525/src/ClassTransformer.tsghsaWEB
- github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01eghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.