GHSA-M272-9RP6-32MC

Vulnerability from github – Published: 2026-03-02 21:43 – Updated: 2026-03-06 15:16
VLAI?
Summary
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization
Details

Summary

A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution.

Vulnerability Details

The root cause lies in the deserialize() method of StandardRPCJsonSerializer. When processing attacker-controlled path segments from the meta and maps arrays, the deserializer fails to implement validation or sanitization for dangerous JavaScript object keys, specifically __proto__ and constructor:

https://github.com/middleapi/orpc/blob/819ed2e0897b18a5d6a4ca85ba68568f055004a1/packages/client/src/adapters/standard/rpc-json-serializer.ts#L137-L213

There are two primary distinct write vectors available to an attacker:

  1. The meta vector: Writes type-constrained values (e.g., Map, Set, Date) to arbitrary object paths.
  2. The maps vector: Allows the injection of arbitrary string values. This occurs because the return value of getBlob(i) (which relies on FormData.get(i.toString())) is cast as Blob. Since this is strictly a TypeScript compile-time cast, the runtime execution allows standard text fields to return as arbitrary strings.

Crucially, this deserialization process occurs at the very beginning of the request lifecycle before any Zod schema validation takes place. Consequently, a malicious payload will successfully pollute the prototype even if the request is subsequently rejected by the validation layer.

This issue impacts all server adapters utilizing the RPC protocol.

Proof of Concept

To reproduce the vulnerability, set up the playgrounds/astro environment and start the development server using pnpm dev.

Run the following curl command to send a crafted payload:

curl -X POST http://localhost:4321/rpc/planet/create \
     -F 'data={"json":{},"meta":[],"maps":[["__proto__","role"]]}' \
     -F '0=admin'

Result: The deserializer evaluates maps, follows the __proto__ path, and maps index 0 to the string "admin". This immediately applies Object.prototype.role = "admin" across the entire Node.js server instance.

Impact

Servers relying on StandardRPCJsonSerializer for deserialization are immediately susceptible to global prototype pollution. The potential impacts including:

  • Privilege Escalation / Authorization Bypass: Attackers can bypass flawed security checks. For example, if the server relies on a defaulted property check like if (user.role === "admin"), the application will evaluate this as true for all users globally.
  • Remote Code Execution: If the application or its dependencies contain susceptible prototype pollution gadgets (e.g., dynamically executing shell commands or scripts based on object properties), this vulnerability can be leveraged into full RCE.
  • Denial of Service: Attackers can overwrite built-in methods (e.g., toString) or set objects into unexpected states, causing the application to crash or throw unhandled exceptions globally.
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.13.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@orpc/client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T21:43:00Z",
    "nvd_published_at": "2026-03-06T05:16:40Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the `@orpc/client` package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global `Object.prototype`. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution.\n\n### Vulnerability Details\nThe root cause lies in the `deserialize()` method of `StandardRPCJsonSerializer`. When processing attacker-controlled path segments from the `meta` and `maps` arrays, the deserializer fails to implement validation or sanitization for dangerous JavaScript object keys, specifically `__proto__` and `constructor`:\n\nhttps://github.com/middleapi/orpc/blob/819ed2e0897b18a5d6a4ca85ba68568f055004a1/packages/client/src/adapters/standard/rpc-json-serializer.ts#L137-L213\n\nThere are two primary distinct write vectors available to an attacker:\n\n1. The `meta` vector: Writes type-constrained values (e.g., `Map`, `Set`, `Date`) to arbitrary object paths.\n2. The `maps` vector: Allows the injection of arbitrary string values. This occurs because the return value of `getBlob(i)` (which relies on `FormData.get(i.toString())`) is cast `as Blob`. Since this is strictly a TypeScript compile-time cast, the runtime execution allows standard text fields to return as arbitrary strings.\n\nCrucially, this deserialization process occurs at the very beginning of the request lifecycle before any Zod schema validation takes place. Consequently, a malicious payload will successfully pollute the prototype even if the request is subsequently rejected by the validation layer.\n\nThis issue impacts all server adapters utilizing the RPC protocol.\n\n### Proof of Concept\nTo reproduce the vulnerability, set up the [playgrounds/astro](https://github.com/middleapi/orpc/tree/main/playgrounds/astro) environment and start the development server using `pnpm dev`. \n\nRun the following `curl` command to send a crafted payload:\n\n```bash\ncurl -X POST http://localhost:4321/rpc/planet/create \\\n     -F \u0027data={\"json\":{},\"meta\":[],\"maps\":[[\"__proto__\",\"role\"]]}\u0027 \\\n     -F \u00270=admin\u0027\n```\n\nResult: The deserializer evaluates `maps`, follows the `__proto__` path, and maps index `0` to the string `\"admin\"`. This immediately applies `Object.prototype.role = \"admin\"` across the entire Node.js server instance. \n\n### Impact\nServers relying on `StandardRPCJsonSerializer` for deserialization are immediately susceptible to global prototype pollution. The potential impacts including:\n\n- Privilege Escalation / Authorization Bypass: Attackers can bypass flawed security checks. For example, if the server relies on a defaulted property check like `if (user.role === \"admin\")`, the application will evaluate this as `true` for all users globally.\n- Remote Code Execution: If the application or its dependencies contain susceptible prototype pollution gadgets (e.g., dynamically executing shell commands or scripts based on object properties), this vulnerability can be leveraged into full RCE.\n- Denial of Service: Attackers can overwrite built-in methods (e.g., `toString`) or set objects into unexpected states, causing the application to crash or throw unhandled exceptions globally.",
  "id": "GHSA-m272-9rp6-32mc",
  "modified": "2026-03-06T15:16:22Z",
  "published": "2026-03-02T21:43:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/middleapi/orpc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.