Vulnerability Description
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Blitzjs | Blitz | < 0.45.3 |
| Blitzjs | Superjson | < 1.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/advisories/GHSA-5888-ffcr-r425ExploitThird Party Advisory
- https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425ExploitThird Party Advisory
- https://www.sonarsource.com/blog/blitzjs-prototype-pollution/ExploitThird Party Advisory
- https://github.com/advisories/GHSA-5888-ffcr-r425ExploitThird Party Advisory
- https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425ExploitThird Party Advisory
- https://www.sonarsource.com/blog/blitzjs-prototype-pollution/ExploitThird Party Advisory
FAQ
What is CVE-2022-23631?
CVE-2022-23631 is a vulnerability with a CVSS score of 9.0 (CRITICAL). superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson inp...
How severe is CVE-2022-23631?
CVE-2022-23631 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-23631?
Check the references section above for vendor advisories and patch information. Affected products include: Blitzjs Blitz, Blitzjs Superjson.