Chain of exploits could be triggered without any authentication.
The new bug, discovered and reported by researchers at Sonar, allowed attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server.
Prototype vulnerability in dependencies
“Blitz.js is an upcoming JS framework that gained traction on GitHub,” Paul Gerste, vulnerability researcher at Sonar, told The Daily Swig. “We selected it in order to help secure its code base and study real-world vulnerabilities.”
Blitz is built on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform.
One of the advertised features of Blitz.js is its ‘Zero-API’ layer, which allows the client to invoke server-side business logic through simple functions without the need to write API code.
Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.
“Blitz.js adds an RPC layer on top of Next.js (among other features), and that layer uses superjson to deserialize data from incoming requests. The vulnerability is entirely inside of superjson,” Gerste said.
As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the prototype vulnerability. An attacker could use these property names to change the running code on the server.
RCE on Blitz servers
Gerste discovered a chain of exploits that could be triggered through the prototype pollution vulnerability and lead to RCE.
The attacker could use this function to launch a CLI process and run an arbitrary command on the server.
What makes this vulnerability especially dangerous is that it can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.
“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So, if the application runs as root, the attacker would also have root privileges.”
Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable per se but could be abused by the prototype pollution bug.
“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.”
Segun Showunmi, Ogun PDP: “I will fight this struggle to the end”
Plateau PDP nominates former APC chairman as governorship campaign DG
Officials from Manchester United are in negotiations to sign Joao Felix from Atletico Madrid
Manchester United is teased by Atletico Madrid on their transfer request for Joao Felix
Son Heung-min may have been the target of racial remarks when Tottenham and Chelsea drew at the weekend
Sir Jim Ratcliffe, the richest man in Great Britain, expresses interest in purchasing Manchester United
2023 Budget: Nigerian govt slams N8.52trn for staff salaries, others, Presidency gets N14.2bn
U20WWC: France joins the Falconets from Group C, breaking South Korea’s heart.
Apple To Launch iPhone 14 On September [See Date]
At London’s Soultown Festival, lead performers included Gabrielle, Soul 2 Soul, and Heather Small
British billionaire, Jim Ratcliffe to buy Man United
U-20 WWC: Super Falconets flogs Canada, to meet Netherlands in quarter-finals
National Blackout: Electricity Workers Call Off Strike
Why I visited Femi Kuti – Peter Obi
Reps To Investigate Agric Ministry Over N18.6bn Spent To Clear Bush, Prepare Land
What fans should expect from sequel – “Squid Game” creator
Buju has questions to answer, a police spokesman claims, after he boasted of spitting on an officer
Buju BNXN engages in a near-free-for-all brawl with police officers
Your daily horoscope for Thursday, August 18, 2022
A robot designed by a snake-loving engineer to restore the reptile’s legs
WhatsApp is working on a feature that would allow you to retrieve deleted messages
Chaos as students drown while having fun on the Lagos beach
Ngige convenes an emergency meeting with electricity employees during a blackout.
How Magu botched high-profile corruption cases while pursuing “Yahoo Boys”
Snapchat’s Paid Users Hit 1 Million
Nigeria Police Officer Rewarded For Rejecting $200,000 Bribe
Police Caution Ronaldo Over Fan Phone Incident
Peter Obi no threat to APC in Imo – Hope Uzodinma
Peter Obi Visit Femi Kuti After Threats From Obidients [VIDEO]
Blackout Looms In Nigeria As Electricity Workers Begin Strike
APC Fires Bauchi Youth Vanguard
Closed door meeting between Bola Tinubu and Olusegun Obasanjo
Ballon d’Or nominees who are from Nigeria
La Liga teams rule out signing a Super Eagles forward valued at €30 million
Defender Udogie, Super Eagles-eligible defender describes his move to the Premier League as “A dream come true.”
Ronaldo slams the media and pledges to tell the “truth” regarding Manchester United’s future.
BBNaija S7: Beauty apologizes to fans after speaking out about her disqualification
Nigerian singer, Peter Okoye tackles jobless youths who defend people that made them jobless
Moses Armstrong, the struggling actor, shouts out, “I did not rape anyone.”
Young, Famous & African on Netflix has been renewed for a second season
Barcelona Finally Register New Signing To La Liga, Lewandowski, Raphinha, Christensen and Kessie
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Complete Episodes)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Final Episode 14)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 12)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 11)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 10)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 02)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 06)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 08)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 01)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 13)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 03)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 04)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 05)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 07)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 09)
[STORY] MY LANDLADY (Episode 01)
James Milner Reveals What Darwin Nunez Did To Liverpool’s Attack
[STORY] DELILAH’S CURVE (Complete Episodes)
[STORY] MY LANDLADY (Complete Episodes)
[STORY] SADE’S HEART TALE (Episode 22)
[STORY] SADE’S HEART TALE (Episode 21)
[STORY] MY LANDLADY (Episode 06)
Your weekly tarot horoscope for August 14 to August 20 and Mars entering Gemini
[STORY] MY LANDLADY (Episode 04)
NLC demands 50% increase in workers’ salaries
[STORY] MY LANDLADY (Episode 17)
2023 Elections: Presidential Candidates To Pay ₦10 Million For Campaign Posters In Anambra
[STORY] MY LANDLADY (Episode 03)
[STORY] MY LANDLADY (Episode 07)
A 12-year-old Nigerian child accidently kills his mother in the United States
Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks
[STORY] DELILAH’S CURVE (Episode 01)
[STORY] MY LANDLADY (Final Episode 20)
[STORY] MY LANDLADY (Episode 15)
[STORY] DELILAH’S CURVE (Episode 04)
[STORY] MY LANDLADY (Episode 09)
[STORY] MY LANDLADY (Episode 11)
Images and videos from Mercy Chinwo’s wedding ceremony
[STORY] MY LANDLADY (Episode 08)
ANE's Billboard Hots
Technology1 month ago
VoIP Number: Everything You Need To Know
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music2 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music6 years ago
[Music] Ed Sheeran – Perfect
Movie Subtitle1 month ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
ANE Stories2 months ago
The Story Of My Life (Complete Episode 1 – 47)
Music2 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you