Login Sign Up

CVE-2022-23631

9.0 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

CVE-2022-23631 is a critical remote code execution vulnerability in superjson versions before 1.8.1. It allows attackers to execute arbitrary code on servers that process superjson input without authentication. Any server using superjson for request processing is vulnerable.

💻 Affected Systems

Products:
  • superjson
Versions: All versions before 1.8.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects servers that use superjson for request processing. The vulnerability exists in the library itself.

📦 What is this software?

Blitz by Blitzjs

View all CVEs affecting Blitz →

Superjson by Blitzjs

View all CVEs affecting Superjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Arbitrary code execution allowing data exfiltration, backdoor installation, or lateral movement.

🟢

If Mitigated

No impact if patched or if superjson is not used for request processing.

🌐 Internet-Facing: HIGH - Any internet-facing endpoint using superjson is directly exploitable without authentication.
🏢 Internal Only: HIGH - Internal services using superjson are equally vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - any endpoint processing superjson input can be targeted. Public technical details and proof-of-concept are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.1

Vendor Advisory: https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425

Restart Required: Yes

Instructions:

1. Update superjson to version 1.8.1 or later using npm: 'npm update superjson' or 'yarn upgrade superjson'. 2. Restart all services using superjson. 3. Verify no older versions remain in dependency tree.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds. Patching is the only solution.

🧯 If You Can't Patch

  • Disable or remove endpoints that use superjson for request processing
  • Implement strict input validation and sanitization for all superjson inputs

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for superjson version. If version is <1.8.1, the system is vulnerable.

Check Version:

npm list superjson | grep superjson

Verify Fix Applied:

Verify superjson version is 1.8.1 or higher using 'npm list superjson' or checking package.json.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from web server context
  • Suspicious JavaScript/Node.js code execution in logs
  • Errors from superjson parsing failures

Network Indicators:

  • HTTP requests containing malicious superjson payloads to endpoints
  • Unusual outbound connections from web servers

SIEM Query:

source="web_server" AND (process_execution="*node*" OR process_execution="*js*" OR message="*superjson*" OR status=500)

📊 Metadata

CVE ID: CVE-2022-23631
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: February 9, 2022
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23631, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)