CVE-2026-33938: Unvalidated Ast Passthrough
Accepting an input object and returning it based merely on a shallow `type` check (like 'Program' or 'AST') bypasses structural validation. If the object originates from untrusted sources, attackers can inject manipulated AST structures or type-spoofed payloads that escape the bounds of the parser. Recursively validate pre-parsed AST nodes before trusting an
greprules fetch cve-2026-33938-unvalidated-ast-passthrough --engine opengrepDescription
Accepting an input object and returning it based merely on a shallow `type` check (like 'Program' or 'AST') bypasses structural validation. If the object originates from untrusted sources, attackers can inject manipulated AST structures or type-spoofed payloads that escape the bounds of the parser. Recursively validate pre-parsed AST nodes before trusting an
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.