RCE using bad deserialization in builderio/qwik
Mar 3rd 2023
Qwik provides an extended serialization mechanism for exchanging data between the client and server.
This allows for the serialization and deserialization of
Function and many other useful data types.
Function deserializer can be accessed using the
Proof of Concept
By sending a
POST request with a content type of
/q-data.json we can trigger the vulnerable deserialization.
You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.
Full compromise of CIA on most deployments.
Will not work on Cloudflare workers, or static deployments.
The root cause