Valinor error messages leading to potential data exfiltration
Description
Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use Throwable#getMessage() when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Valinor PHP library before 0.12.0 leaks exception messages in mapping errors, potentially exposing sensitive data like SQL snippets or credentials.
Root
Cause CVE-2022-31140 affects the Valinor PHP library, which maps input into typed objects. Prior to version 0.12.0, the library automatically included the message from Throwable::getMessage() in error output when a constructor threw an exception [1]. This meant that detailed, sensitive information contained in exception messages—such as SQL queries, database credentials, or IP addresses—could be exposed to end users [4].
Exploitation
An attacker can trigger this vulnerability by providing malicious input that causes an exception during object mapping. For example, if a constructor throws an InvalidArgumentException with a message containing a database connection string, that message would be included in the mapping error shown to the user [1]. No special privileges are required; the attacker only needs to interact with an application using Valinor to handle untrusted data.
Impact
The primary impact is information disclosure. Attackers could extract sensitive data from error messages, including SQL snippets (from database exceptions), credentials, or internal system details [2]. This information could be used for further attacks such as data exfiltration, credential theft, or denial of service [1]. The vulnerability does not allow direct code execution but can significantly aid in reconnaissance.
Mitigation
The vulnerability is patched in Valinor version 0.12.0 [2]. The fix introduces a filterExceptions() method on MapperBuilder that allows developers to explicitly control which exceptions are caught and how their messages are handled [2]. By default, userland exceptions are no longer automatically included in error output. All users are strongly advised to upgrade to 0.12.0 or later. As an additional precaution, applications should avoid exposing raw error messages to end users in production environments [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cuyz/valinorPackagist | < 0.12.0 | 0.12.0 |
Affected products
3Patches
11 file changed · +97 −1
docs/pages/changelog.md+97 −1 modified@@ -8,6 +8,100 @@ toc_depth: 2 All notable changes to this project will be documented in this file. <!--- END HEADER --> +## [0.12.0](https://github.com/CuyZ/Valinor/compare/0.11.0...0.12.0) (2022-07-10) + +### Notable changes + +**SECURITY — Userland exception filtering** + +See [advisory GHSA-5pgm-3j3g-2rc7] for more information. + +[advisory GHSA-5pgm-3j3g-2rc7]: https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7 + +Userland exception thrown in a constructor will not be automatically caught by +the mapper anymore. This prevents messages with sensible information from +reaching the final user — for instance an SQL exception showing a part of a +query. + +To allow exceptions to be considered as safe, the new method +`MapperBuilder::filterExceptions()` must be used, with caution. + +```php +final class SomeClass +{ + public function __construct(private string $value) + { + \Webmozart\Assert\Assert::startsWith($value, 'foo_'); + } +} + +try { + (new \CuyZ\Valinor\MapperBuilder()) + ->filterExceptions(function (Throwable $exception) { + if ($exception instanceof \Webmozart\Assert\InvalidArgumentException) { + return \CuyZ\Valinor\Mapper\Tree\Message\ThrowableMessage::from($exception); + } + + // If the exception should not be caught by this library, it + // must be thrown again. + throw $exception; + }) + ->mapper() + ->map(SomeClass::class, 'bar_baz'); +} catch (\CuyZ\Valinor\Mapper\MappingError $exception) { + // Should print something similar to: + // > Expected a value to start with "foo_". Got: "bar_baz" + echo $exception->node()->messages()[0]; +} +``` + +**Tree node API rework** + +The class `\CuyZ\Valinor\Mapper\Tree\Node` has been refactored to remove access +to unwanted methods that were not supposed to be part of the public API. Below +are a list of all changes: + +- New methods `$node->sourceFilled()` and `$node->sourceValue()` allow accessing + the source value. + +- The method `$node->value()` has been renamed to `$node->mappedValue()` and + will throw an exception if the node is not valid. + +- The method `$node->type()` now returns a string. + +- The methods `$message->name()`, `$message->path()`, `$message->type()` and + `$message->value()` have been deprecated in favor of the new method + `$message->node()`. + +- The message parameter `{original_value}` has been deprecated in favor of + `{source_value}`. + +**Access removal of several parts of the library public API** + +The access to class/function definition, types and exceptions did not add value +to the actual goal of the library. Keeping these features under the public API +flag causes more maintenance burden whereas revoking their access allows more +flexibility with the overall development of the library. + +### ⚠ BREAKING CHANGES + +* Filter userland exceptions to hide potential sensible data ([6ce1a4](https://github.com/CuyZ/Valinor/commit/6ce1a439adb1f6ee7e771fe02d454aa91e7b320f)) +* Refactor tree node API ([d3b1dc](https://github.com/CuyZ/Valinor/commit/d3b1dcb64ec561cdedffe5ca779341fc9452a858)) +* Remove API access from several parts of library ([316d91](https://github.com/CuyZ/Valinor/commit/316d91910d289780a7b791f17b958eae264a6296)) +* Remove node visitor feature ([63c87a](https://github.com/CuyZ/Valinor/commit/63c87a2cc4c28546f28d51998a93fe89f0885535)) + +### Bug Fixes + +* Handle inferring methods with same names properly ([dc45dd](https://github.com/CuyZ/Valinor/commit/dc45dd8ac5ab1126a362350dbc5292a421254d54)) +* Process invalid type default value as unresolvable type ([7c9ac1](https://github.com/CuyZ/Valinor/commit/7c9ac1dd6d518e5e5f0fc02ee172b12084082d1d)) +* Properly display unresolvable type ([3020db](https://github.com/CuyZ/Valinor/commit/3020db20bfa8322e3cb198487851bb5d43ea9894)) + +### Other + +* Ignore `.idea` folder ([84ead0](https://github.com/CuyZ/Valinor/commit/84ead04f84118d18ad0c557db909b0cd10b65252)) + +--- + ## [0.11.0](https://github.com/CuyZ/Valinor/compare/0.10.0...0.11.0) (2022-06-23) ### Notable changes @@ -448,7 +542,9 @@ mandatory to explicitly register custom constructors that can be used by the mapper. This decision was made because of a security issue reported by @Ocramius and -described in advisory [GHSA-xhr8-mpwq-2rr2]. +described in advisory [advisory GHSA-xhr8-mpwq-2rr2]. + +[advisory GHSA-xhr8-mpwq-2rr2]: https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7 As a result, existing code must list all named constructors that were previously automatically used by the mapper, and registerer them using the
Vulnerability mechanics
Root cause
"Valinor automatically caught all Throwable exceptions from userland constructors and exposed their messages, allowing sensitive information to leak."
Attack vector
An attacker provides crafted input to a Valinor-mapped constructor that throws an exception containing sensitive information (e.g., an SQL query snippet, database credentials, or memory details). Because Valinor prior to 0.12.0 automatically caught all `Throwable` instances and exposed their messages, the attacker could read these details in the mapper's error output. This enables information disclosure that could be leveraged for further attacks such as data exfiltration or enumeration [patch_id=1641550].
Affected code
The vulnerability lies in Valinor's mapper, which previously caught all `Throwable` exceptions thrown in userland constructors and exposed their messages via `Throwable#getMessage()`. The patch does not show a specific file diff, but the changelog indicates the fix was introduced in commit `6ce1a4` (part of version 0.12.0). The affected code path is the exception-handling logic that automatically surfaced exception messages to the caller without filtering.
What the fix does
The patch (commit `6ce1a4`, part of version 0.12.0) stops the mapper from automatically catching all userland exceptions thrown in constructors. Instead, it introduces `MapperBuilder::filterExceptions()`, which requires developers to explicitly register a callback that decides which exceptions are safe to expose. Exceptions that are not explicitly allowed are re-thrown, preventing their messages from leaking sensitive data. This shifts the responsibility to the developer to whitelist only safe exception types [patch_id=1641550].
Preconditions
- inputThe application uses Valinor to map user-controlled input into a value object whose constructor may throw an exception containing sensitive information.
- inputThe attacker must be able to supply input that triggers such an exception (e.g., invalid data that causes an SQL or connection error).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5pgm-3j3g-2rc7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31140ghsaADVISORY
- github.com/CuyZ/Valinor/releases/tag/0.12.0ghsax_refsource_MISCWEB
- github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.