Moderate severityNVD Advisory· Published Jan 11, 2022· Updated Apr 23, 2025

Potential exposure of Replit tokens to an Unauthorized Actor in @replit/crosis

CVE-2022-21671

Description

@replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists in versions prior to 7.3.1. When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account). This was patched in version 7.3.1 by updating the address of the fallback WebSocket polling proxy to the new one. As a workaround, a user may specify the new address for the polling host (gp-v2.replit.com) in the ConnectArgs. More information about this workaround is available in the GitHub Security Advisory.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@replit/crosisnpm	< 7.3.1	7.3.1

Affected products

Replit/Crosisv5
Range: < 7.3.1

Patches

e44b6a8f5fa2

Change the default polling host to `gp-v2.replit.com` (#113)

https://github.com/replit/crosislhchavezJan 7, 2022via ghsa

commit

2 files changed · +5 −1

CHANGELOG.md+4 −0 modified

@@ -1,3 +1,7 @@
+#### v7.3.1
+
+Changed the default polling host to gp-v2.replit.com.
+
 #### v7.3.0
 
 Added an optional `pollingHost` field to `ConnectOptions`. This allows callers to override the polling host from gp-v2.herokuapp.com to something else when the polling fallback is used.

src/util/helpers.ts+1 −1 modified

@@ -61,7 +61,7 @@ export function getConnectionStr(
 ): string {
   const gurl = urllib.parse(connectionMetadata.gurl);
   if (isPolling) {
-    const host = pollingHost ?? 'gp-v2.herokuapp.com';
+    const host = pollingHost ?? 'gp-v2.replit.com';
     gurl.hostname = host;
     gurl.host = host;
     gurl.pathname = `/wsv2/${connectionMetadata.token}/${encodeURIComponent(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7w54-gp8x-f33mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21671ghsaADVISORY
github.com/replit/crosis/commit/e44b6a8f5fa28cb2872e3c19bb8a205bb5bfc281ghsax_refsource_MISCWEB
github.com/replit/crosis/security/advisories/GHSA-7w54-gp8x-f33mghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000