Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
Vulnerability Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
CVSS Information
N/A
Vulnerability Type
CWE-1321
Vulnerability Title
orpc 安全漏洞
Vulnerability Description
orpc是middleapi开源的一个RPC与OpenAPI集成框架。 oRPC 1.13.6之前版本存在安全漏洞,该漏洞源于@orpc/client包的RPC JSON反序列化器中存在原型污染,可能导致未经身份验证的远程攻击者向全局Object.prototype注入任意属性,从而引发身份验证绕过、拒绝服务或远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A