Description
An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated remote code execution vulnerability exists in the Replicator 1.0.5 npm package. The flaw arises when the application blindly deserializes untrusted user input, allowing an attacker to construct an object that triggers arbitrary code execution upon deserialization.

Affected Systems

The affected product is Replicator, version 1.0.5, used as a Node.js package manager. Systems incorporating this specific version are at risk; newer or older versions are not indicated as affected by the available data.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and unauthenticated, as the description states that the flaw is triggered by deserializing untrusted user input. Successful exploitation would enable an attacker to run arbitrary code with the privileges of the application, compromising confidentiality, integrity, and availability of affected systems.

Generated by OpenCVE AI on April 2, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Replicator to a non‑vulnerable release that removes insecure deserialization of untrusted data.
  • If an upgrade is not immediately possible, apply the patch described in pull request 19, or otherwise ensure that the application does not deserialize data supplied by untrusted sources.

Generated by OpenCVE AI on April 2, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2gmp-34j9-fqjm Replicator deserializes untrusted user input
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Replicator Project
Replicator Project replicator
Weaknesses CWE-347
Vendors & Products Replicator Project
Replicator Project replicator

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.
Title Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Replicator Project Replicator
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-01T19:27:36.981Z

Reserved: 2026-02-09T19:27:28.332Z

Link: CVE-2026-2265

cve-icon Vulnrichment

Updated: 2026-04-01T19:27:32.498Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T17:28:38.410

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-2265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:17Z

Weaknesses