{"id":"CVE-2023-35167","summary":"When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id","details":"Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance is not authorized to access, can gain read, update and delete access to it. The issue is fixed in version 0.20.6. As a workaround, set the `apiPrefilter` option to a filter object instead of a function.","aliases":["GHSA-7hh3-3x64-v2g9"],"modified":"2026-04-10T05:00:51.977493Z","published":"2023-06-23T19:03:54.753Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35167.json","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://github.com/remult/remult/releases/tag/v0.20.6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35167.json"},{"type":"ADVISORY","url":"https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35167"},{"type":"FIX","url":"https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/remult/remult","events":[{"introduced":"0"},{"fixed":"6a922f0f257e5701d0f02404f3e34522079696d8"}]}],"versions":["v.0.18.0","v0.10.1","v0.10.10","v0.10.11","v0.10.12","v0.10.13","v0.10.14","v0.10.2","v0.10.3","v0.10.4","v0.10.5","v0.10.6","v0.10.7","v0.10.8","v0.10.9","v0.11.1","v0.11.2","v0.11.3","v0.11.4","v0.12.1","v0.12.2","v0.12.3","v0.12.4","v0.12.5","v0.12.6","v0.12.7","v0.13.13","v0.13.14","v0.13.15","v0.13.16","v0.13.17","v0.13.18","v0.13.19","v0.13.20","v0.13.21","v0.13.23","v0.13.24","v0.13.25","v0.13.26","v0.13.27","v0.13.28","v0.13.30","v0.13.31","v0.17.0-exp.1","v0.17.0-exp.2","v0.17.0-exp.3","v0.17.0-exp.4","v0.17.0-exp.5","v0.17.0-exp.6","v0.17.0-exp.7","v0.18.1","v0.18.1-exp.0","v0.18.1-exp.1","v0.18.1-exp.10","v0.18.1-exp.11","v0.18.1-exp.12","v0.18.1-exp.2","v0.18.1-exp.3","v0.18.1-exp.37","v0.18.1-exp.38","v0.18.1-exp.39","v0.18.1-exp.40","v0.18.1-exp.41","v0.18.1-exp.5","v0.18.1-exp.6","v0.18.1-exp.7","v0.18.1-exp.8","v0.18.1-exp.9","v0.19.0","v0.19.1","v0.19.2","v0.19.3","v0.20.0","v0.20.0-exp.1","v0.20.0-exp.10","v0.20.0-exp.11","v0.20.0-exp.12","v0.20.0-exp.13","v0.20.0-exp.14","v0.20.0-exp.15","v0.20.0-exp.16","v0.20.0-exp.17","v0.20.0-exp.18","v0.20.0-exp.19","v0.20.0-exp.2","v0.20.0-exp.20","v0.20.0-exp.3","v0.20.0-exp.4","v0.20.0-exp.5","v0.20.0-exp.6","v0.20.0-exp.7","v0.20.0-exp.8","v0.20.0-exp.9","v0.20.1","v0.20.1-exp.0","v0.20.1-exp.1","v0.20.2","v0.20.3","v0.20.4","v0.20.5","v0.3.10","v0.3.11","v0.3.12","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.3.9","v0.4.1","v0.4.10","v0.4.11","v0.4.12","v0.4.13","v0.4.14","v0.4.15","v0.4.16","v0.4.17","v0.4.18","v0.4.19","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.4.9","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.6","v0.6.1","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.6.6","v0.7.0","v0.7.1","v0.9.10","v0.9.11","v0.9.12","v0.9.13","v0.9.14","v0.9.15","v0.9.16","v0.9.17","v0.9.18","v0.9.19","v0.9.2","v0.9.20","v0.9.21","v0.9.22","v0.9.23","v0.9.24","v0.9.25","v0.9.26","v0.9.27","v0.9.28","v0.9.29","v0.9.3","v0.9.4","v0.9.5","v0.9.6","v0.9.7","v0.9.8","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-35167.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}