Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security sweep

Browse Source
This commit is contained in:
Michael Freno
2026-05-29 09:03:47 -04:00
parent 469c28fa64
commit 3b29de3234
60 changed files with 7148 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
piolium/findings/p8-011-superjson-vulnerable-version/report.md Normal file
View File

@@ -0,0 +1,47 @@
Phase: 8
Sequence: 011
Slug: superjson-vulnerable-version
Verdict: VALID
Rationale: Browser extension uses superjson@^2.2.1 which includes vulnerable versions (2.2.12.2.5) affected by CVE-2022-23631 (CVSS 10.0 prototype pollution); web server is not affected (does not use superjson)
Severity-Original: medium
Severity: medium
PoC-Status: pending
Pre-FP-Flag: none
Debate: piolium/attack-surface/balanced-chamber-summary.md
## Summary
The browser extension (`browser-ext`) depends on `superjson@^2.2.1`, which is vulnerable to CVE-2022-23631 (CVSS 10.0 — Prototype Pollution → RCE). The `^2.2.1` semver range allows any version from 2.2.1 up to (but not including) 3.0.0. CVE-2022-23631 was fixed in superjson 2.2.6, so versions 2.2.1 through 2.2.5 are vulnerable. The web server does not use superjson (confirmed by dependency scan), so the vulnerability is confined to the browser extension context.
## Location
- `browser-ext/package.json` line 18 (`"superjson": "^2.2.1"`)
- `browser-ext/src/lib/api-client.ts` (tRPC client using superjson)
## Attacker Control
The extension serializes data using superjson. If the extension deserializes malicious superjson data (e.g., from a server response), prototype pollution occurs in the extension context. This could affect extension storage, API keys, and local data.
## Trust Boundary Crossed
Browser extension local data boundary. Prototype pollution in the extension context could affect extension storage and local data handling.
## Impact
Prototype pollution in the browser extension context. The extension's local data handling could be compromised, potentially affecting extension storage, API keys, and local data. The web server is NOT affected (superjson is not installed there).
## Evidence
```json
// browser-ext/package.json
"superjson": "^2.2.1"
// ^2.2.1 allows 2.2.1 through 2.2.5 (vulnerable)
// Fix available in 2.2.6+
```
## Reproduction Steps
1. Extension serializes data containing `__proto__` key via superjson
2. If any superjson deserializer processes this data (including the extension's own deserializer), prototype pollution occurs
3. Attacker gains ability to modify `Object.prototype`, affecting all JavaScript objects in the extension context
4. In the browser extension context, this could affect extension storage, API keys, and local data
## Defense Search Results
- Web server does NOT use superjson as a dependency (confirmed by dependency scan)
- Browser extension uses superjson for tRPC client serialization
- The `api-client.ts` uses `httpBatchLink` with superjson
- CVE-2022-23631 is CVSS 10.0 but affects only the browser extension context
- No server-side deserialization of superjson data