Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/piolium/findings/p8-011-superjson-vulnerable-version/draft.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

48 lines
2.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Phase: 8
Sequence: 011
Slug: superjson-vulnerable-version
Verdict: VALID
Rationale: Browser extension uses superjson@^2.2.1 which includes vulnerable versions (2.2.12.2.5) affected by CVE-2022-23631 (CVSS 10.0 prototype pollution); web server is not affected (does not use superjson)
Severity-Original: medium
Severity: medium
PoC-Status: pending
Pre-FP-Flag: none
Debate: piolium/attack-surface/balanced-chamber-summary.md
## Summary
The browser extension (`browser-ext`) depends on `superjson@^2.2.1`, which is vulnerable to CVE-2022-23631 (CVSS 10.0 — Prototype Pollution → RCE). The `^2.2.1` semver range allows any version from 2.2.1 up to (but not including) 3.0.0. CVE-2022-23631 was fixed in superjson 2.2.6, so versions 2.2.1 through 2.2.5 are vulnerable. The web server does not use superjson (confirmed by dependency scan), so the vulnerability is confined to the browser extension context.
## Location
- `browser-ext/package.json` line 18 (`"superjson": "^2.2.1"`)
- `browser-ext/src/lib/api-client.ts` (tRPC client using superjson)
## Attacker Control
The extension serializes data using superjson. If the extension deserializes malicious superjson data (e.g., from a server response), prototype pollution occurs in the extension context. This could affect extension storage, API keys, and local data.
## Trust Boundary Crossed
Browser extension local data boundary. Prototype pollution in the extension context could affect extension storage and local data handling.
## Impact
Prototype pollution in the browser extension context. The extension's local data handling could be compromised, potentially affecting extension storage, API keys, and local data. The web server is NOT affected (superjson is not installed there).
## Evidence
```json
// browser-ext/package.json
"superjson": "^2.2.1"
// ^2.2.1 allows 2.2.1 through 2.2.5 (vulnerable)
// Fix available in 2.2.6+
```
## Reproduction Steps
1. Extension serializes data containing `__proto__` key via superjson
2. If any superjson deserializer processes this data (including the extension's own deserializer), prototype pollution occurs
3. Attacker gains ability to modify `Object.prototype`, affecting all JavaScript objects in the extension context
4. In the browser extension context, this could affect extension storage, API keys, and local data
## Defense Search Results
- Web server does NOT use superjson as a dependency (confirmed by dependency scan)
- Browser extension uses superjson for tRPC client serialization
- The `api-client.ts` uses `httpBatchLink` with superjson
- CVE-2022-23631 is CVSS 10.0 but affects only the browser extension context
- No server-side deserialization of superjson data
Reference in New Issue View Git Blame Copy Permalink