CVE-2022-23631: Prototype Pollution leading to Remote Code Execution in superjson
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5011%
CWE
Published
2/9/2022
Updated
11/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
superjson | npm | < 1.8.1 | 1.8.1 |
blitz | npm | < 0.45.3 | 0.45.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from superjson's handling of the 'referentialEqualities' metadata during deserialization. This feature allowed path-based assignments without proper validation of property names. Attackers could craft paths targeting object prototypes (e.g., 'proto.polluted') and set arbitrary properties. The patch added validation to block 'constructor', 'prototype' and 'proto' in paths, confirming this as the injection point. While exact function names aren't visible in advisory text, the core deserialization logic handling metadata-driven assignments must be the vulnerable component given the impact and patch details.