Researchers discovered a prototype pollution vulnerability in the Blitz.js framework that could lead to remote code execution attacks. Blitz.js patched the vulnerability following the bug report, urging users to update at the earliest.
Blitz.js Framework Vulnerability
According to a recent report from Sonar, their researchers found a severe security vulnerability in the Blitz.js framework.
Specifically, Blitz.js is a full-stack React web framework inspired by Ruby On Rails, built on Next.js.
Regarding the vulnerability, the researchers explained that they observed a prototype pollution vulnerability in the framework. The vulnerability, CVE-2022-23631, affected the “serialization library superjson used in the RPC layer of Blitz.js”. An app using the Blitz.js framework would be vulnerable to the flaw if it implemented at least one RPC call.
Exploiting this bug could allow an adversary to execute arbitrary codes. Such attacks would be possible via remote access without requiring the attacker to authenticate. An adversary could exploit the flaw to run arbitrary codes on the target servers behind the apps using the vulnerable Blitz.js version. Hence, the bug risked the security of all applications using this framework unless updated.
The researchers have shared the detailed technical analysis of the vulnerability in their post.
Vulnerability Received The Fix
According to the timelines Sonar shared in its post, the researchers found this vulnerability in February 2022. They immediately reported the matter to Blitz.js maintainers, who then started working on a fix. Finally, they patched the vulnerability in a couple of days, with the release of Blitz.js 0.45.3 and superjson 1.8.1.
Since the patches have been released, all users running Blitz.js in their applications must ensure updating their apps with the latest version to receive the fix. It is now specifically important, given that the exploit details are publicly disclosed. Leaving the apps vulnerable may allow the attackers to attack the apps, inflicting huge damages to the app developers.
Let us know your thoughts in the comments.