CVE-2022-21671 in crosis
Summary
by MITRE • 01/11/2022
@replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists in versions prior to 7.3.1. When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account). This was patched in version 7.3.1 by updating the address of the fallback WebSocket polling proxy to the new one. As a workaround, a user may specify the new address for the polling host (`gp-v2.replit.com`) in the `ConnectArgs`. More information about this workaround is available in the GitHub Security Advisory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/13/2022
The vulnerability identified as CVE-2022-21671 affects the @replit/crosis JavaScript client library, which facilitates communication with Replit's container protocol. This library serves as a programmatic interface for developers to interact with Replit's infrastructure, making it a critical component in automated development workflows and containerized applications. The flaw manifests in the library's handling of network communication failures, specifically when establishing WebSocket connections to Replit's services. When multiple WebSocket connection attempts fail, the library automatically falls back to a poll-based proxy mechanism to maintain connectivity, representing a common pattern in network resilience design.
The technical implementation of this vulnerability stems from the library's hardcoded reference to an outdated proxy endpoint URL. During normal operation, the client attempts to establish direct WebSocket connections to Replit's infrastructure. When these connections fail, the fallback mechanism activates and attempts to use a polling proxy to maintain communication. However, the proxy URL had been updated by Replit's infrastructure team, while the older version of the @replit/crosis library continued to reference the deprecated endpoint. This creates a scenario where network traffic intended for Replit's services could be redirected to unintended servers, potentially outside of Replit's control and security boundaries.
The operational impact of this vulnerability is significant, as it enables attackers to intercept authentication tokens used to connect to specific Repls. When the library attempts to communicate through the outdated proxy URL, any sensitive information transmitted during this process could be captured by malicious actors operating servers that respond to the old endpoint. This token exposure could lead to full compromise of individual Repls, allowing attackers to execute arbitrary code, access source files, modify applications, and potentially gain access to any data stored within those environments. The vulnerability specifically affects the integrity and confidentiality of individual Repl instances rather than user accounts, but the implications for application security remain severe.
This vulnerability aligns with CWE-200, which addresses "Information Exposure," and demonstrates characteristics consistent with CWE-352, "Cross-Site Request Forgery," in terms of unauthorized access to protected resources. From an ATT&CK framework perspective, this vulnerability maps to T1071.004, "Application Layer Protocol: DNS," and T1566, "Phishing," as it involves exploitation of network communication patterns and potential information disclosure. The vulnerability also reflects the broader category of insecure communication patterns, as outlined in OWASP Top 10 2021 under A02:2021 - Cryptographic Failures, where outdated communication endpoints can lead to token exposure and unauthorized access. The patch implemented in version 7.3.1 addresses this by updating the fallback proxy URL to the current endpoint at gp-v2.replit.com, ensuring that all communication attempts follow the correct infrastructure paths and maintain proper security boundaries.
Organizations and developers utilizing the @replit/crosis library should immediately upgrade to version 7.3.1 or later to mitigate this vulnerability. In the interim, the workaround of manually specifying the new proxy endpoint address in the ConnectArgs provides a temporary solution while maintaining application functionality. Security teams should monitor for any unauthorized access attempts or unusual network traffic patterns that might indicate exploitation of this vulnerability. Additionally, developers should implement proper dependency management practices and regularly audit their application's network communication patterns to identify potential similar issues in other libraries or components. The vulnerability highlights the importance of maintaining up-to-date network communication libraries and the risks associated with hardcoded endpoint references that may become obsolete without proper version control or update mechanisms.