Replicator Remote Code Execution Vulnerability via Untrusted Data Deserialization

A remote code execution vulnerability has been identified in the Replicator node package manager (npm) version 1.0.5. This vulnerability arises from the deserialization of untrusted user input, which is then executed as an object. The issue is rooted in the Error transform logic of the Replicator decode pipeline, where an attacker can manipulate the deserialization process to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected application is running.

Reproduction

To reproduce this vulnerability, serialize a payload that includes an Error object. The 'name' field of the Error object can be manipulated to select a constructor from the global scope, such as 'Function'. When this payload is deserialized, the selected constructor is instantiated, and if it is a Function, the deserialized object can be invoked as a function, executing any injected code.

Remediation

Users are advised to upgrade to Replicator version 1.0.6 or later, where this vulnerability has been fixed by implementing a constructor allowlisting mechanism.