Replicant: When Deserialization Starts Writing Your Scripts Vulnerability Overview Replicant is an npm package for advanced JavaScript serialization and deserialization. This vulnerability (CVE-2022-2265) exists in its process: when reconstructing error objects, Replicant trusts attacker-controlled data, using the field from serialized input to select a constructor from the global scope. This transforms deserialization from data processing into behavior shaping. Vulnerability Category CVE: CVE-2022-2265 CWE-502: Deserialization of Untrusted Data Impact: Code execution primitive through unsafe constructor selection Component: Error transformation logic in decoding pipeline Impact Scope Replicant is widely used with approximately 1 million monthly downloads Attackers can control the field to select arbitrary global constructors The field can serve as function body input The decoded return value is invoked, leading to remote code execution Vulnerable Code (Pre-Fix) Where comes from untrusted input, allowing attackers to influence which constructor is instantiated. POC Code Payload Analysis: is attacker-controlled, set to becomes the function body input The decoded return value is invoked Fix Solution (PR #19) Replace open global lookup with a constructor whitelist: Core Fix Principles: 1. Explicit Type Whitelist: Only allow known-safe error constructors 2. Safe Default: Unknown values fall back to instead of resolving arbitrary global objects Practical Recommendations When Maintaining Serialization/Deserialization Logic: Never parse constructors from untrusted strings via the global scope Maintain strict allowlists for each polymorphic type path Validate types and structures before reconstruction Include negative security tests for unexpected constructor names When Using Replicant in Projects: Upgrade to a version containing PR #19 Treat decoded objects as untrusted input until validated by your own logic Audit downstream usage patterns for locations where decoded values are invoked or dynamically executed Disclosure Timeline