Vulnerability	Vulnerable Version
H Improperly Controlled Modification of Dynamically-Determined Object Attributes @adonisjs/lucid is a SQL ORM built on top of Active Record pattern Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the `merge` and `fill` methods, as well as record creation and update functions. An attacker can manipulate internal ORM state and bypass logic controls by injecting specially crafted keys into the payload passed to model assignment methods. This can result in unauthorized modification of records or logic bypasses by overwriting internal properties such as `$isPersisted`, `$attributes`, or `$isDeleted`. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `@adonisjs/lucid` to version 21.8.2, 22.0.0-next.6 or higher.	<21.8.2>=22.0.0-next.0 <22.0.0-next.6

Improperly Controlled Modification of Dynamically-Determined Object Attributes

@adonisjs/lucid is a SQL ORM built on top of Active Record pattern

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the merge and fill methods, as well as record creation and update functions. An attacker can manipulate internal ORM state and bypass logic controls by injecting specially crafted keys into the payload passed to model assignment methods. This can result in unauthorized modification of records or logic bypasses by overwriting internal properties such as $isPersisted, $attributes, or $isDeleted.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade @adonisjs/lucid to version 21.8.2, 22.0.0-next.6 or higher.

<21.8.2>=22.0.0-next.0 <22.0.0-next.6

Go back to all versions of this package