`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization

Description

Summary

A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution.

Vulnerability Details

The root cause lies in the deserialize() method of StandardRPCJsonSerializer. When processing attacker-controlled path segments from the meta and maps arrays, the deserializer fails to implement validation or sanitization for dangerous JavaScript object keys, specifically __proto__ and constructor:

https://github.com/middleapi/orpc/blob/819ed2e0897b18a5d6a4ca85ba68568f055004a1/packages/client/src/adapters/standard/rpc-json-serializer.ts#L137-L213

There are two primary distinct write vectors available to an attacker:

  1. The meta vector: Writes type-constrained values (e.g., Map, Set, Date) to arbitrary object paths.
  2. The maps vector: Allows the injection of arbitrary string values. This occurs because the return value of getBlob(i) (which relies on FormData.get(i.toString())) is cast as Blob. Since this is strictly a TypeScript compile-time cast, the runtime execution allows standard text fields to return as arbitrary strings.

Crucially, this deserialization process occurs at the very beginning of the request lifecycle before any Zod schema validation takes place. Consequently, a malicious payload will successfully pollute the prototype even if the request is subsequently rejected by the validation layer.

This issue impacts all server adapters utilizing the RPC protocol.

Proof of Concept

To reproduce the vulnerability, set up the playgrounds/astro environment and start the development server using pnpm dev.

Run the following curl command to send a crafted payload:

curl -X POST http://localhost:4321/rpc/planet/create \
     -F 'data={"json":{},"meta":[],"maps":[["__proto__","role"]]}' \
     -F '0=admin'

Result: The deserializer evaluates maps, follows the __proto__ path, and maps index 0 to the string "admin". This immediately applies Object.prototype.role = "admin" across the entire Node.js server instance.

Impact

Servers relying on StandardRPCJsonSerializer for deserialization are immediately susceptible to global prototype pollution. The potential impacts including:

  • Privilege Escalation / Authorization Bypass: Attackers can bypass flawed security checks. For example, if the server relies on a defaulted property check like if (user.role === "admin"), the application will evaluate this as true for all users globally.
  • Remote Code Execution: If the application or its dependencies contain susceptible prototype pollution gadgets (e.g., dynamically executing shell commands or scripts based on object properties), this vulnerability can be leveraged into full RCE.
  • Denial of Service: Attackers can overwrite built-in methods (e.g., toString) or set objects into unexpected states, causing the application to crash or throw unhandled exceptions globally.

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-02 21:43:00 UTC
Updated
2026-03-06 15:16:22 UTC
GitHub reviewed
2026-03-02 21:43:00 UTC
NVD published
2026-03-06

EPSS Score

Score Percentile
1.12% 78.22%

CVSS Scores

Base score Version Severity Vector
9.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Credits

  • mnixry (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @orpc/client <= 1.13.5 1.13.6

References

cvelogic Threat Intelligence