CVE-2023-35167 Information

Description

Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the @Entity decorator by setting it to a function that returns a filter that prevents unauthorized access to data an attacker who knows the id of an entity instance is not authorized to access can gain read update and delete access to it. The issue is fixed in version 0.20.6. As a workaround set the apiPrefilter option to a filter object instead of a function.

Reference

https://github.com/remult/remult/releases/tag/v0.20.6 https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5 https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9