RCE using bad deserialization in builderio/qwik

Valid

Reported on

Mar 3rd 2023


Description

Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types.

The Function deserializer can be accessed using the pureServerFunction feature. This allows us to pass in any Javascript code to be run by node.js.

Proof of Concept

By sending a POST request with a content type of application/qwik-json to /q-data.json we can trigger the vulnerable deserialization.

You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.

Video here.

Impact

Full compromise of CIA on most deployments.

Will not work on Cloudflare workers, or static deployments.

Occurrences

The root cause

We are processing your report and will contact the builderio/qwik team within 24 hours. 2 months ago
builderio/qwik maintainer has acknowledged this report 2 months ago
Adam Bradley gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Adam Bradley validated this vulnerability 2 months ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Adam Bradley marked this as fixed in 0.21.0 with commit 4d9ba6 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Adam Bradley published this vulnerability 2 months ago
serializers.ts#L236 has been validated
to join this conversation