Platform
nodejs
Component
superjson
Fixed in
1.8.1
1.8.1
CVE-2022-23631 is a critical Remote Code Execution (RCE) vulnerability affecting the superjson Node.js package. This vulnerability allows attackers to execute arbitrary code on any server utilizing superjson input, including Blitz.js servers, without authentication. Affected versions are those prior to 1.8.1; a patch has been released in superjson 1.8.1 and Blitz.js 0.45.3.
The impact of CVE-2022-23631 is severe. An attacker can gain complete control over the affected server by injecting malicious code through superjson input. This allows them to steal sensitive data, manipulate databases, install malware, and potentially pivot to other systems within the network. The vulnerability is particularly concerning because it requires no prior authentication, making it easily exploitable. In the context of Blitz.js, any RPC endpoint processing superjson input is vulnerable. This vulnerability shares similarities with other input validation flaws that have led to widespread compromise, highlighting the importance of secure data handling practices.
CVE-2022-23631 was publicly disclosed on February 9, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV, but its potential impact warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.40% (61% percentile)
CVSS Vector
The primary mitigation for CVE-2022-23631 is to immediately upgrade to superjson version 1.8.1 or Blitz.js version 0.45.3. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all superjson input to prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block suspicious input patterns can provide an additional layer of defense. Review and restrict access to RPC endpoints that utilize superjson to limit the potential attack surface. After upgrading, confirm the fix by attempting to submit a crafted superjson payload designed to trigger the vulnerability and verifying that it is now rejected.
Update the version of superjson to 1.8.1 or higher. This corrects the prototype pollution vulnerability that allows remote code execution. Run `npm install superjson@latest` or `yarn add superjson@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-23631 is a critical Remote Code Execution vulnerability in the superjson Node.js package, allowing attackers to execute arbitrary code on servers using superjson input.
You are affected if you are using superjson versions prior to 1.8.1, especially if you are using Blitz.js and have RPC endpoints that process superjson input.
Upgrade to superjson version 1.8.1 or Blitz.js version 0.45.3. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the superjson GitHub repository for updates and advisories: https://github.com/vercel/superjson/security/advisories/GHSA-9g9x-834c-937x
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.