Skip to content

Fix high vulnerability with kwargs injection

Latest
Latest

Choose a tag to compare

View all tags
@collerek collerek released this 19 Mar 14:57
· 46 commits to master since this release
0.23.1
7f22aa2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

0.23.1

‼️🚨 High vulnerability fixed – please upgrade ASAP

  • In this version of ormar a high severity vulnerability (CVE-2026-27953) in model initialization was patched. The vulnerability allowed injection of __pk_only__ and __excluded__ parameters through user-supplied **kwargs (e.g. JSON request bodies). Passing __pk_only__=True bypassed all Pydantic validation, and __excluded__ could nullify arbitrary fields. Thanks @Mistz1 for reporting!
  • Affected versions:
    • All versions prior to 0.23.1

Contributors

Mistz1
Assets 2
Loading