Feng Xiao

Thanks for the comment. we will report this to class-transformer since the transformer and validator are usually used together, which leads to vulnerable logics. Even if class-transformer adds a patch...

Thanks for the comment. I think we should at least mention this option somewhere in readme right?

Yes... because class-validator will be vulnerable to the mentioned attack in its default settings. We should let developers know this undocumented `forbidUnknownValues` option and use it when handling user-inputs or...

You may use babel to downgrade the code.

Thanks for the quick response. The following link points to the actual location of where the vulnerable code is: https://github.com/typestack/routing-controllers/blob/aae917bc093aa4e64f584f2660a490fda73fda5c/src/ActionParameterHandler.ts#L147 I've consulted the class-validator contributors and their suggestion is to...