CVE-2023-35167
MEDIUMremult < 0.20.6 - Improper Access Control via apiPrefilter Function
Title source: llmDescription
Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance is not authorized to access, can gain read, update and delete access to it. The issue is fixed in version 0.20.6. As a workaround, set the `apiPrefilter` option to a filter object instead of a function.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9
Patch x_refsource_misc
https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5
Release Notes x_refsource_misc
https://github.com/remult/remult/releases/tag/v0.20.6
Scores
CVSS v3
5.0
EPSS
0.0007
EPSS Percentile
22.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (2)
npm/remult
0 - 0.20.6npm
remult/remult
< 0.20.6
Published
Jun 23, 2023
Tracked Since
Feb 18, 2026