Plattform
nodejs
Komponente
superjson
Behoben in
1.8.1
1.8.1
CVE-2022-23631 is a critical Remote Code Execution (RCE) vulnerability affecting the superjson Node.js package. This vulnerability allows attackers to execute arbitrary code on any server utilizing superjson input, including Blitz.js servers, without authentication. Affected versions are those prior to 1.8.1; a patch has been released in superjson 1.8.1 and Blitz.js 0.45.3.
The impact of CVE-2022-23631 is severe. An attacker can gain complete control over the affected server by injecting malicious code through superjson input. This allows them to steal sensitive data, manipulate databases, install malware, and potentially pivot to other systems within the network. The vulnerability is particularly concerning because it requires no prior authentication, making it easily exploitable. In the context of Blitz.js, any RPC endpoint processing superjson input is vulnerable. This vulnerability shares similarities with other input validation flaws that have led to widespread compromise, highlighting the importance of secure data handling practices.
CVE-2022-23631 was publicly disclosed on February 9, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV, but its potential impact warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Applications built with Blitz.js that utilize superjson for data parsing are particularly at risk. Any Node.js application relying on superjson for processing external data, especially in API endpoints or RPC calls, is also vulnerable. Shared hosting environments where multiple applications share the same server instance are at increased risk due to the potential for cross-application exploitation.
• nodejs / server:
npm list superjsonThis command will list installed versions of superjson. Check if the version is less than 1.8.1. • nodejs / server:
find / -name "superjson.js" -o -name "superjson.min.js" -printLocate superjson files on the system to identify potential vulnerable deployments. • nodejs / server:
grep -r 'superjson.parse' /path/to/your/appSearch for instances of superjson.parse within your application code, as this is a key function used in vulnerable scenarios.
disclosure
Exploit-Status
EPSS
0.40% (61% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-23631 is to immediately upgrade to superjson version 1.8.1 or Blitz.js version 0.45.3. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all superjson input to prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block suspicious input patterns can provide an additional layer of defense. Review and restrict access to RPC endpoints that utilize superjson to limit the potential attack surface. After upgrading, confirm the fix by attempting to submit a crafted superjson payload designed to trigger the vulnerability and verifying that it is now rejected.
Actualice la versión de superjson a la 1.8.1 o superior. Esto corrige la vulnerabilidad de prototype pollution que permite la ejecución remota de código. Ejecute `npm install superjson@latest` o `yarn add superjson@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-23631 is a critical Remote Code Execution vulnerability in the superjson Node.js package, allowing attackers to execute arbitrary code on servers using superjson input.
You are affected if you are using superjson versions prior to 1.8.1, especially if you are using Blitz.js and have RPC endpoints that process superjson input.
Upgrade to superjson version 1.8.1 or Blitz.js version 0.45.3. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the superjson GitHub repository for updates and advisories: https://github.com/vercel/superjson/security/advisories/GHSA-9g9x-834c-937x
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.