CVE-2026-28794
CVE-2026-28794
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- Low
- Integrity (Subsequent)
- Low
- Availability (Subsequent)
- None
Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
CVE-2026-28794: Comprehensive Technical Analysis
Executive Summary
CVE-2026-28794 represents a critical prototype pollution vulnerability in the oRPC framework's JSON deserializer component (@orpc/client package). With a CVSS score of 9.8, this vulnerability poses an immediate and severe threat to applications utilizing affected versions. The flaw enables unauthenticated remote attackers to inject arbitrary properties into JavaScript's Object.prototype, potentially leading to authentication bypass, denial of service, and remote code execution.
1. Vulnerability Assessment and Severity Evaluation
Severity Classification
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Impact: High across Confidentiality, Integrity, and Availability (C:H/I:H/A:H)
Technical Assessment
Vulnerability Type: Prototype Pollution (CWE-1321)
The vulnerability exists in the RPC JSON deserializer, which improperly handles user-controlled input during object deserialization. This allows attackers to manipulate the prototype chain of JavaScript objects, affecting all objects within the Node.js process.
Critical Factors:
- Persistence: Pollution persists for the entire Node.js process lifetime
- Global Impact: Affects all objects in the application scope
- No Authentication Required: Exploitable by unauthenticated remote attackers
- Low Complexity: Straightforward exploitation without specialized conditions
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors
Primary Vector: Malicious JSON Payload
Attackers can craft malicious JSON payloads sent to oRPC endpoints that exploit the deserializer's improper handling of special properties:
{
"__proto__": {
"isAdmin": true,
"authenticated": true,
"role": "administrator"
}
}
or
{
"constructor": {
"prototype": {
"polluted": "malicious_value"
}
}
}
Exploitation Scenarios
1. Authentication Bypass
// Attacker pollutes Object.prototype
// Payload: {"__proto__": {"isAuthenticated": true, "role": "admin"}}
// Vulnerable code checking authentication
function checkAuth(user) {
if (user.isAuthenticated && user.role === "admin") {
return true; // Bypassed due to prototype pollution
}
return false;
}
2. Denial of Service (DoS)
{
"__proto__": {
"toString": null,
"valueOf": null
}
}
This can crash the application when objects attempt to call these fundamental methods.
3. Remote Code Execution (RCE)
When combined with vulnerable code patterns:
// Polluted property used in dangerous operations
const options = {};
// After pollution: options.shell = "/bin/sh"
// options.env = malicious_environment
child_process.spawn(command, args, options);
Exploitation Complexity
- Skill Level Required: Low to Medium
- Tools Required: Standard HTTP clients (curl, Postman, custom scripts)
- Detection Difficulty: Medium (requires monitoring for suspicious JSON patterns)
3. Affected Systems and Software Versions
Affected Software
- Package: @orpc/client
- Vulnerable Versions: All versions prior to 1.13.6
- Framework: oRPC (OpenAPI-compliant RPC framework)
Affected Environments
- Runtime: Node.js applications
- Architecture: Any system running Node.js with the vulnerable package
- Deployment Types:
- Web APIs and microservices
- Backend services using oRPC for type-safe API development
- Applications with OpenAPI-compliant endpoints
- Full-stack applications using oRPC for client-server communication
Dependency Chain Risk
Applications may be indirectly affected through:
- Direct dependency on @orpc/client
- Transitive dependencies in larger frameworks
- Monorepo structures using oRPC packages
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
A. Patch to Version 1.13.6 or Later
# NPM
npm update @orpc/client@latest
# Yarn
yarn upgrade @orpc/client@latest
# PNPM
pnpm update @orpc/client@latest
Verify the update:
npm list @orpc/client
B. Emergency Workarounds (If Immediate Patching Impossible)
1. Object.freeze() Protection:
// Apply at application startup
Object.freeze(Object.prototype);
Object.freeze(Object);
2. Input Validation Middleware:
function sanitizeJSON(obj) {
const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
function clean(item) {
if (item && typeof item === 'object') {
for (const key of dangerousKeys) {
delete item[key];
}
Object.keys(item).forEach(k => clean(item[k]));
}
return item;
}
return clean(obj);
}
Short-term Mitigations (Priority 2)
C. Web Application Firewall (WAF) Rules
Implement rules to detect and block prototype pollution attempts:
# Example ModSecurity rule
SecRule REQUEST_BODY "@rx (__proto__|constructor\s*\[|\.prototype\.)" \
"id:1000,phase:2,deny,status:403,msg:'Prototype Pollution Attempt'"
D. Runtime Application Self-Protection (RASP)
Deploy RASP solutions that monitor for prototype pollution patterns in real-time.
Long-term Strategies (Priority 3)
E. Secure Development Practices
-
Dependency Management:
- Implement automated dependency scanning (Snyk, Dependabot, npm audit)
- Establish regular update cycles
- Maintain Software Bill of Materials (SBOM)
-
Code Review Standards:
- Review all JSON deserialization code
- Implement secure coding guidelines for object manipulation
- Use static analysis tools (ESLint with security plugins)
-
Defense in Depth:
// Use Object.create(null) for data objects const safeObject = Object.create(null); // Use Map instead of plain objects for user data const userData = new Map();
F. Monitoring and Detection
// Runtime monitoring for prototype pollution
const originalProto = Object.getOwnPropertyNames(Object.prototype);
setInterval(() => {
const currentProto = Object.getOwnPropertyNames(Object.prototype);
const diff = currentProto.filter(x => !originalProto.includes(x));
if (diff.length > 0) {
console.error('SECURITY ALERT: Prototype pollution detected:', diff);
// Trigger incident response
}
}, 60000);
5. Impact on Cybersecurity Landscape
Industry-Wide Implications
A. JavaScript Ecosystem Vulnerabilities
This CVE highlights ongoing challenges in the JavaScript/Node.js ecosystem:
- Prototype Chain Risks: Fundamental language feature creates persistent security challenges
- Deserialization Vulnerabilities: JSON parsing remains a critical attack surface
- Supply Chain Security: Dependencies in modern applications create cascading risks
B. API Security Concerns
- OpenAPI/RPC Frameworks: Increased scrutiny on type-safe API frameworks
- Serialization Libraries: Renewed focus on secure deserialization practices
- Zero-Trust Architecture: Reinforces need for defense-in-depth approaches
Threat Landscape Evolution
C. Attacker Capabilities
- Low Barrier to Entry: Prototype