漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
Vulnerability Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
CVSS Information
N/A
Vulnerability Type
CWE-1321
Vulnerability Title
orpc 安全漏洞
Vulnerability Description
orpc是middleapi开源的一个RPC与OpenAPI集成框架。 oRPC 1.13.6之前版本存在安全漏洞,该漏洞源于@orpc/client包的RPC JSON反序列化器中存在原型污染,可能导致未经身份验证的远程攻击者向全局Object.prototype注入任意属性,从而引发身份验证绕过、拒绝服务或远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A