RCE using bad deserialization in builderio/qwik

Valid

Reported on

Mar 3rd 2023

Description

Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types.

The Function deserializer can be accessed using the pureServerFunction feature. This allows us to pass in any Javascript code to be run by node.js.

Proof of Concept

By sending a POST request with a content type of application/qwik-json to /q-data.json we can trigger the vulnerable deserialization.

You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.

Video here.

Impact

Full compromise of CIA on most deployments.

Will not work on Cloudflare workers, or static deployments.

Occurrences

serializers.ts L236

The root cause

References

We are processing your report and will contact the builderio/qwik team within 24 hours. 19 days ago

A builderio/qwik maintainer has acknowledged this report 19 days ago

Adam Bradley gave praise 19 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Adam Bradley validated this vulnerability 19 days ago

OhB00 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Adam Bradley marked this as fixed in 0.21.0 with commit 4d9ba6 14 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Adam Bradley published this vulnerability 14 days ago

serializers.ts#L236 has been validated

to join this conversation