CVE-2022-21671

Name of the Vulnerable Software and Affected Versions @replit/crosis versions prior to 7.3.1

Description A vulnerability exists that involves exposure of sensitive information. When using the library to communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl.

Recommendations For versions prior to 7.3.1, update to version 7.3.1 or later. As a temporary workaround, specify the new address for the polling host (gp-v2.replit.com) in the ConnectArgs.