Critical severity9.0NVD Advisory· Published Feb 9, 2022· Updated Jun 17, 2026
CVE-2022-23631
CVE-2022-23631
Description
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
superjsonnpm | < 1.8.1 | 1.8.1 |
blitznpm | < 0.45.3 | 0.45.3 |
Affected products
3- ghsa-coords2 versions
< 0.45.3+ 1 more
- (no CPE)range: < 0.45.3
- (no CPE)range: < 1.8.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5888-ffcr-r425nvdExploitThird Party AdvisoryADVISORY
- github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425nvdExploitThird Party AdvisoryWEB
- www.sonarsource.com/blog/blitzjs-prototype-pollution/nvdExploitThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2022-23631ghsaADVISORY
- www.sonarsource.com/blog/blitzjs-prototype-pollutionghsaWEB
News mentions
0No linked articles in our index yet.