Researchers at Sonar found the new problem, which allowed attackers to alter the Blitz.js app’s code to build a reverse shell and issue arbitrary server commands.
Prototype vulnerability in dependencies
According to Paul Gerste, a vulnerability researcher at Sonar, “Blitz.js is an emerging JS framework that gained attention on GitHub.” “We chose it to analyse real-world vulnerabilities and assist in securing its code base.”
Blitz is a full-stack web development platform that is based on Next.js, a React-based framework, and adds components to it.
One of Blitz.js’s touted strengths is its “Zero-API” layer, which enables clients to use straightforward functions to call server-side business logic without having to create API code.
In the background, Blitz.js makes an RPC call to the server and returns the result to the client function call.
“Among other features, Blitz.js extends Next.js with an RPC layer that deserializes data from incoming requests using superjson. Superjson is completely vulnerable, according to Gerste.
Superjson is a JSON variant that supports circular dependencies, dates, and regexes. The prototype vulnerability resulted from the circular dependence feature, which permits JSON specifications to refer to property names. These property names could be used by an attacker to alter the server’s running code.
RCE on Blitz servers
Gerste identified a series of vulnerabilities that might be exploited to cause RCE through the prototype pollution vulnerability.
This function could be used by the attacker to start a CLI process and issue any command to the server.
Due to the fact that this vulnerability may be exploited without any authentication, anyone with access to the Blitz.js application will be able to conduct RCE attacks.
According to Gerste, an attacker would have the same degree of authority as the susceptible programme. Therefore, the attacker would also have root privileges if the application is running as root.
Model pollution bugs frequently behave in quite convoluted ways. For instance, the CLI wrapper object in the case of Blitz.js was not inherently susceptible but could be exploited by the prototype pollution flaw.
According to Gerste, “This attack technique utilises a coding pattern which is not a vulnerability in itself.” “Prototype pollution can have a very invasive impact on the target application, and eliminating every code that could be impacted by prototype pollution would take a lot of work.”