Orpc · Orpc · CVE-2026-28794
**Name of the Vulnerable Software and Affected Versions**
orpc versions prior to 1.13.6
@orpc/client versions prior to 1.13.6
**Description**
A critical prototype pollution issue exists in the RPC JSON deserializer of the `@orpc/client` package. This allows unauthenticated, remote attackers to inject arbitrary properties into the global `Object.prototype`. The pollution persists throughout the Node.js process and affects all objects, potentially leading to severe security breaches, including authentication bypass, denial of service, and Remote Code Execution. The root cause is in the `deserialize()` method of `StandardRPCJsonSerializer`, which fails to validate or sanitize dangerous JavaScript object keys like ` proto ` and `constructor` when processing attacker-controlled path segments from the `meta` and `maps` arrays. The `maps` vector allows the injection of arbitrary string values because the return value of `getBlob(i)` is cast as Blob, which is a TypeScript compile-time cast. This deserialization occurs before Zod schema validation, meaning a malicious payload will pollute the prototype even if the request is subsequently rejected by the validation layer. The vulnerability can be exploited by sending a crafted payload to the `/rpc/planet/create` API endpoint with data in the `data` parameter, specifically manipulating the `maps` array to set `Object.prototype.role` to `"admin"`. This impacts all server adapters utilizing the RPC protocol.
**Recommendations**
Update to orpc version 1.13.6 or later.
Update to @orpc/client version 1.13.6 or later.