GHSA-965r-9cg9-g42p: Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

May 28, 2025

All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users.

If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations.

References

github.com/advisories/GHSA-965r-9cg9-g42p
github.com/valtimo-platform/valtimo-backend-libraries
github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-965r-9cg9-g42p

Code Behaviors & Features

Detect and mitigate GHSA-965r-9cg9-g42p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →