9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23631

GHSA ID

GHSA-5888-ffcr-r425

EPSS Score

0.5011%

CWE

CWE-94

Published

2/9/2022

Updated

11/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23631

CVE-2022-23631: Prototype Pollution leading to Remote Code Execution in superjson

Impact

This is critical vulnerability, as it allows to run arbitrary code on any server using superjson input, including a Blitz.js server, without prior authentication or knowledge. Attackers gain full control over the server so they could steal and manipulate data or attack further systems. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. In the case of Blitz.js, it would be at least one RPC call.

Patches

This has been patched in superjson 1.8.1 and Blitz.js 0.45.3.

If you are unable to upgrade to Blitz.js 0.45.3 in a timely manner, you can instead upgrade only superjson to version 1.8.1 using yarn resolutions are similar. Blitz versions < 0.45.3 are only affected because they used superjson versions < 1.8.1.

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/blitz-js/superjson
Email us at b@bayer.ws

References

https://www.sonarsource.com/blog/blitzjs-prototype-pollution/

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23631

GHSA ID

GHSA-5888-ffcr-r425

EPSS Score

0.5011%

CWE

CWE-94

Published

2/9/2022

Updated

11/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
superjson	npm	< 1.8.1	1.8.1
blitz	npm	< 0.45.3	0.45.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from superjson's handling of the 'referentialEqualities' metadata during deserialization. This feature allowed path-based assignments without proper validation of property names. Attackers could craft paths targeting object prototypes (e.g., 'proto.polluted') and set arbitrary properties. The patch added validation to block 'constructor', 'prototype' and 'proto' in paths, confirming this as the injection point. While exact function names aren't visible in advisory text, the core deserialization logic handling metadata-driven assignments must be the vulnerable component given the impact and patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is *riti**l vuln*r**ility, *s it *llows to run *r*itr*ry *o** on *ny s*rv*r usin* sup*rjson input, in*lu*in* * *litz.js s*rv*r, wit*out prior *ut**nti**tion or knowl****. *tt**k*rs **in *ull *ontrol ov*r t** s*rv*r so t**y *oul* st**

Reasoning

T** vuln*r**ility st*ms *rom sup*rjson's **n*lin* o* t** 'r***r*nti*l*qu*liti*s' m*t***t* *urin* **s*ri*liz*tion. T*is ***tur* *llow** p*t*-**s** *ssi*nm*nts wit*out prop*r v*li**tion o* prop*rty n*m*s. *tt**k*rs *oul* *r**t p*t*s t*r**tin* o*j**t pr

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-23631: Prototype Pollution leading to Remote Code Execution in superjson

Impact

Patches

Workarounds

For more information

References

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI