superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
| Link | Tags |
|---|---|
| https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425 | third party advisory exploit |
| https://github.com/advisories/GHSA-5888-ffcr-r425 | third party advisory exploit |
| https://www.sonarsource.com/blog/blitzjs-prototype-pollution/ | third party advisory exploit |