Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a07c004f2d8eb72521352c028760b8096d4d115c
Kordant/piolium/findings/p8-011-superjson-vulnerable-version/draft.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

2.6 KiB
Raw Blame History

Phase: 8 Sequence: 011 Slug: superjson-vulnerable-version Verdict: VALID Rationale: Browser extension uses superjson@^2.2.1 which includes vulnerable versions (2.2.12.2.5) affected by CVE-2022-23631 (CVSS 10.0 prototype pollution); web server is not affected (does not use superjson) Severity-Original: medium Severity: medium PoC-Status: pending Pre-FP-Flag: none Debate: piolium/attack-surface/balanced-chamber-summary.md

Summary

The browser extension (browser-ext) depends on superjson@^2.2.1, which is vulnerable to CVE-2022-23631 (CVSS 10.0 — Prototype Pollution → RCE). The ^2.2.1 semver range allows any version from 2.2.1 up to (but not including) 3.0.0. CVE-2022-23631 was fixed in superjson 2.2.6, so versions 2.2.1 through 2.2.5 are vulnerable. The web server does not use superjson (confirmed by dependency scan), so the vulnerability is confined to the browser extension context.

Location

  • browser-ext/package.json line 18 ("superjson": "^2.2.1")
  • browser-ext/src/lib/api-client.ts (tRPC client using superjson)

Attacker Control

The extension serializes data using superjson. If the extension deserializes malicious superjson data (e.g., from a server response), prototype pollution occurs in the extension context. This could affect extension storage, API keys, and local data.

Trust Boundary Crossed

Browser extension local data boundary. Prototype pollution in the extension context could affect extension storage and local data handling.

Impact

Prototype pollution in the browser extension context. The extension's local data handling could be compromised, potentially affecting extension storage, API keys, and local data. The web server is NOT affected (superjson is not installed there).

Evidence

// browser-ext/package.json
"superjson": "^2.2.1"
// ^2.2.1 allows 2.2.1 through 2.2.5 (vulnerable)
// Fix available in 2.2.6+

Reproduction Steps

  1. Extension serializes data containing __proto__ key via superjson
  2. If any superjson deserializer processes this data (including the extension's own deserializer), prototype pollution occurs
  3. Attacker gains ability to modify Object.prototype, affecting all JavaScript objects in the extension context
  4. In the browser extension context, this could affect extension storage, API keys, and local data

Defense Search Results

  • Web server does NOT use superjson as a dependency (confirmed by dependency scan)
  • Browser extension uses superjson for tRPC client serialization
  • The api-client.ts uses httpBatchLink with superjson
  • CVE-2022-23631 is CVSS 10.0 but affects only the browser extension context
  • No server-side deserialization of superjson data
Reference in New Issue View Git Blame Copy Permalink