← Voltar para CVEs

CVE-2022-23631

CRITICAL

9.0

Descricao

superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.

Detalhes CVE

Pontuacao CVSS v3.19.0

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado2/9/2022

Ultima modificacao2/24/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

blitzjs:blitzblitzjs:superjson

Fraquezas (CWE)

CWE-94CWE-1321

Referencias

https://github.com/advisories/GHSA-5888-ffcr-r425(security-advisories@github.com)

https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425(security-advisories@github.com)

https://www.sonarsource.com/blog/blitzjs-prototype-pollution/(security-advisories@github.com)

https://github.com/advisories/GHSA-5888-ffcr-r425(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425(af854a3a-2127-422b-91ae-364da2661108)

https://www.sonarsource.com/blog/blitzjs-prototype-pollution/(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.