CVE-2022-23631
published 2022-02-09CVE-2022-23631: superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.31%
81.3th percentile
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blitz-js | superjson | < 1.8.0 | 1.8.0 |
| blitz-js | superjson | >= 0 < 1.8.1 | 1.8.1 |
| blitzjs | blitz | < 0.45.3 | 0.45.3 |
| blitzjs | blitz | >= 0 < 0.45.3 | 0.45.3 |
| blitzjs | superjson | < 1.8.1 | 1.8.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Prototype Pollution leading to Remote Code Execution in superjson
osv·2022-02-09
CVE-2022-23631 [CRITICAL] Prototype Pollution leading to Remote Code Execution in superjson
Prototype Pollution leading to Remote Code Execution in superjson
### Impact
This is critical vulnerability, as it allows to run arbitrary code on any server using superjson input, including a Blitz.js server, without prior authentication or knowledge. Attackers gain full control over the server so they could steal and manipulate data or attack further systems. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. In the case of Blitz.js, it would be at least one RPC call.
### Patches
This has been patched in superjson 1.8.1 and Blitz.js 0.45.3.
If you are unable to upgrade to Blitz.js 0.45.3 in a timely manner, you can instead upgrade only superjson to version 1.8.1 using yarn resolutions are similar. Blitz versions <
GHSA
Prototype Pollution leading to Remote Code Execution in superjson
ghsa·2022-02-09
CVE-2022-23631 [CRITICAL] CWE-1321 Prototype Pollution leading to Remote Code Execution in superjson
Prototype Pollution leading to Remote Code Execution in superjson
### Impact
This is critical vulnerability, as it allows to run arbitrary code on any server using superjson input, including a Blitz.js server, without prior authentication or knowledge. Attackers gain full control over the server so they could steal and manipulate data or attack further systems. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. In the case of Blitz.js, it would be at least one RPC call.
### Patches
This has been patched in superjson 1.8.1 and Blitz.js 0.45.3.
If you are unable to upgrade to Blitz.js 0.45.3 in a timely manner, you can instead upgrade only superjson to version 1.8.1 using yarn resolutions are similar. Blitz versions <
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/advisories/GHSA-5888-ffcr-r425https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425https://www.sonarsource.com/blog/blitzjs-prototype-pollution/https://github.com/advisories/GHSA-5888-ffcr-r425https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425https://www.sonarsource.com/blog/blitzjs-prototype-pollution/
2022-02-09
Published