SNYK-JS-SERIALIZEJAVASCRIPT-6147607
Authorization Bypass vulnerability in serialize-javascript (npm)
What is SNYK-JS-SERIALIZEJAVASCRIPT-6147607 About?
This vulnerability in `golang.org/x/crypto/ssh` can lead to an authorization bypass where an attacker can authenticate with one public key while the application incorrectly makes authorization decisions based on a different key. This stems from a misuse of the `ServerConfig.PublicKeyCallback` API, which misrepresents the actually authenticated key. Exploitation is moderately complex, requiring knowledge of the application's specific callback misuse.
Affected Software
Technical Details
The ServerConfig.PublicKeyCallback in golang.org/x/crypto/ssh can be misused, leading to an authorization bypass. The SSH protocol allows clients to offer multiple public keys and inquire about their acceptability before proving control of the corresponding private key. A vulnerable application might store or derive security-relevant information based on a key passed to PublicKeyCallback, but not necessarily the one with which the client ultimately authenticates. An attacker could send two public keys (A and B), and then authenticate using key A. The callback would be invoked for both A and B. If the application makes authorization decisions based on key B (e.g., the last key seen by the callback), even though the attacker only authenticated with A, an authorization bypass occurs. This is because the order of callbacks or the specific key that last invoked the callback does not reliably indicate the authenticated key. While a partial mitigation in golang.org/x/crypto@v0.31.0 ensures the last key passed to PublicKeyCallback is the authenticated one if public key authentication succeeds, it doesn't cover other authentication methods.
What is the Impact of SNYK-JS-SERIALIZEJAVASCRIPT-6147607?
Successful exploitation may allow attackers to bypass authorization controls, gain unauthorized access to resources, elevate privileges, or perform actions they are not properly authenticated for.
What is the Exploitability of SNYK-JS-SERIALIZEJAVASCRIPT-6147607?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to interact with an SSH server that has misused the ServerConfig.PublicKeyCallback, specifically one that relies on the order or last-seen key from this callback for authorization instead of the ServerConn.Permissions field. Authentication is required, as the attack involves submitting public keys and authenticating. The attack is remote, as it targets an accessible SSH server. Success depends on the specific implementation details of the server's authorization logic and how it processes public key callbacks. Risk factors include applications that do not follow best practices for SSH key handling and authorization, particularly those that do not use the Extensions field of Permissions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for SNYK-JS-SERIALIZEJAVASCRIPT-6147607?
About the Fix from Resolved Security
The patch ensures that when a URL object is serialized, its string value is also serialized, which escapes potentially dangerous characters. This prevents injection attacks or XSS when deserializing or evaluating serialized URLs, thus addressing the code injection risk tracked in SNYK-JS-SERIALIZEJAVASCRIPT-6147607.
Available Upgrade Options
- serialize-javascript
- <6.0.2 → Upgrade to 6.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to SNYK-JS-SERIALIZEJAVASCRIPT-6147607?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-21661 , CVE-2020-13692 , CVE-2019-15869 , CVE-2018-1000121
