CircuitVerse potential RCE vulnerability via Oj.load
Description
CircuitVerse is an open-source platform which allows users to construct digital logic circuits online. A remote code execution (RCE) vulnerability in CircuitVerse allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This issue may lead to Remote Code Execution (RCE). A patch is available in commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e. There are currently no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure deserialization in CircuitVerse allows authenticated attackers to achieve remote code execution via crafted JSON payloads.
Vulnerability
CircuitVerse, an open-source digital logic circuit simulation platform, contains a remote code execution vulnerability due to insecure deserialization. The issue resides in the sanitize_data method, which uses Oj.load (instead of the safer Oj.safe_load) to process JSON data submitted by users. The vulnerable code path is reachable when a user with an active session sends a specially crafted JSON payload. This affects all versions prior to commit 7b3023a99499a7675f10f2c1d9effdf10c35fb6e [1].
Exploitation
An authenticated attacker can exploit this vulnerability by sending a malicious JSON payload to the server. The attacker does not require any special privileges beyond a valid account. The insecure Oj.load call will deserialize the payload, which can contain arbitrary objects, leading to code execution. No user interaction beyond the authenticated request is needed [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the CircuitVerse server. This results in a full compromise of confidentiality, integrity, and availability of the application and its data. The attacker gains the ability to read, modify, or delete any project data, user information, and potentially pivot to the underlying server infrastructure [1].
Mitigation
The vulnerability has been patched in commit 7b3023a99499a7675f10f2c1d9effdf10c35fb6e by replacing Oj.load with Oj.safe_load [2]. As of the publication date (2022-09-06), no workarounds are available; users must apply the patch by updating to the latest version of CircuitVerse [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 7b3023a99499a7675f10f2c1d9effdf10c35fb6e
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/CircuitVerse/CircuitVerse/commit/7b3023a99499a7675f10f2c1d9effdf10c35fb6emitrex_refsource_MISC
- github.com/CircuitVerse/CircuitVerse/security/advisories/GHSA-8c8q-4h7g-4rp3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.