Miggo Logo

CVE-2022-23631: Prototype Pollution leading to Remote Code Execution in superjson

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.5011%
Published
2/9/2022
Updated
11/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
superjsonnpm< 1.8.11.8.1
blitznpm< 0.45.30.45.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from superjson's handling of the 'referentialEqualities' metadata during deserialization. This feature allowed path-based assignments without proper validation of property names. Attackers could craft paths targeting object prototypes (e.g., 'proto.polluted') and set arbitrary properties. The patch added validation to block 'constructor', 'prototype' and 'proto' in paths, confirming this as the injection point. While exact function names aren't visible in advisory text, the core deserialization logic handling metadata-driven assignments must be the vulnerable component given the impact and patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is *riti**l vuln*r**ility, *s it *llows to run *r*itr*ry *o** on *ny s*rv*r usin* sup*rjson input, in*lu*in* * *litz.js s*rv*r, wit*out prior *ut**nti**tion or knowl****. *tt**k*rs **in *ull *ontrol ov*r t** s*rv*r so t**y *oul* st**

Reasoning

T** vuln*r**ility st*ms *rom sup*rjson's **n*lin* o* t** 'r***r*nti*l*qu*liti*s' m*t***t* *urin* **s*ri*liz*tion. T*is ***tur* *llow** p*t*-**s** *ssi*nm*nts wit*out prop*r v*li**tion o* prop*rty n*m*s. *tt**k*rs *oul* *r**t p*t*s t*r**tin* o*j**t pr