CVE-2026-28794

Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.6 @orpc/client versions prior to 1.13.6

Description A critical prototype pollution issue exists in the RPC JSON deserializer of the @orpc/client package. This allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. The pollution persists throughout the Node.js process and affects all objects, potentially leading to severe security breaches, including authentication bypass, denial of service, and Remote Code Execution. The root cause is in the deserialize() method of StandardRPCJsonSerializer, which fails to validate or sanitize dangerous JavaScript object keys like proto and constructor when processing attacker-controlled path segments from the meta and maps arrays. The maps vector allows the injection of arbitrary string values because the return value of getBlob(i) is cast as Blob, which is a TypeScript compile-time cast. This deserialization occurs before Zod schema validation, meaning a malicious payload will pollute the prototype even if the request is subsequently rejected by the validation layer. The vulnerability can be exploited by sending a crafted payload to the /rpc/planet/create API endpoint with data in the data parameter, specifically manipulating the maps array to set Object.prototype.role to "admin". This impacts all server adapters utilizing the RPC protocol.

Recommendations Update to orpc version 1.13.6 or later. Update to @orpc/client version 1.13.6 or later.