CVE-2019-18413

Name: CVE-2019-18413
Creator: NVD / NIST
Published: 2019-10-24T18:15:11.497+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.99%

Last modified Jun 17, 2026

CVE-2019-18413 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. EPSS estimates a 1.99% chance of exploitation in the next 30 days.

Description

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.99%

78.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Typestack Class-Validator Project	Typestack Class-Validator	0.10.2

References

https://github.com/typestack/class-validator#passing-optionsThird Party Advisory
https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415Issue Tracking, Release Notes, Third Party Advisory
https://github.com/typestack/class-validator/issues/438Exploit, Issue Tracking, Third Party Advisory
https://github.com/typestack/class-validator/issues/438#issuecomment-964728471Exploit, Issue Tracking, Third Party Advisory
https://github.com/typestack/class-validator#passing-optionsThird Party Advisory
https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415Issue Tracking, Release Notes, Third Party Advisory
https://github.com/typestack/class-validator/issues/438Exploit, Issue Tracking, Third Party Advisory
https://github.com/typestack/class-validator/issues/438#issuecomment-964728471Exploit, Issue Tracking, Third Party Advisory

Timeline

Published: Oct 24, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-18413?

How severe is CVE-2019-18413?

CVE-2019-18413 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.99% probability of exploitation in the next 30 days.

How do I fix CVE-2019-18413?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-18413?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST