Prototype Pollution leading to Remote Code Execution in superjson
CVE-2022-23631

9.1CRITICAL

Key Information:

Vendor

Blitz-js

Status
Superjson
Vendor
CVE Published:
9 February 2022

What is CVE-2022-23631?

superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.

Affected Version(s)

superjson < 1.8.0

References

https://github.com/blitz-js/superjson/security/advisories...
x_refsource_CONFIRM
https://github.com/advisories/GHSA-5888-ffcr-r425
x_refsource_MISC
https://www.sonarsource.com/blog/blitzjs-prototype-pollut...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.