Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: 1.1% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

oRPC is an API toolkit that relies on JSON serialization for RPC calls. Prior to version 1.13.6, the @orpc/client package contained a prototype pollution flaw in its StandardRPCJsonSerializer. An attacker could send a specially crafted JSON payload that would be deserialized into the client’s runtime and inject arbitrary properties into the global Object.prototype. Because the polluted prototype persists for the remainder of the Node.js process, the instance becomes vulnerable to subsequent misuse. This flaw can be leveraged for authentication bypass, denial‑of‑service, and potentially Remote Code Execution, depending on how the polluted properties interact with application logic.

Affected Systems

Any Node.js application that imports the @orpc/client library from the middleapi:orpc vendor and runs a version older than 1.13.6 is affected. This includes direct usage in user code, indirect usage through other packages, or any server that processes untrusted RPC requests through the vulnerable serializer.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is listed as less than 1%, suggesting that widespread exploitation is currently unlikely, and it is not present in the CISA KEV catalog. Nevertheless, the attack vector is remote and unauthenticated, and exploitation only requires an attacker to deliver a malicious JSON payload over any channel that the RPC service accepts. Once executed, the injection can persist for the lifetime of the process, making the risk long‑lasting. Administrators should treat this flaw with the same urgency as any remote code execution vulnerability.

Generated by OpenCVE AI on April 16, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @orpc/client to v1.13.6 or newer.
  • Ensure that all dependencies and transitive packages use the patched version; update package-lock.json and rebuild the application.
  • Apply strict input validation to RPC payloads, or switch to a safer serializer that does not perform untrusted deserialization, to guard against prototype pollution if upgrading is not immediately possible.

Generated by OpenCVE AI on April 16, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m272-9rp6-32mc `@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization
History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Orpc
Orpc orpc
CPEs cpe:2.3:a:orpc:orpc:*:*:*:*:*:*:*:*
Vendors & Products Orpc
Orpc orpc
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Middleapi
Middleapi orpc
Vendors & Products Middleapi
Middleapi orpc

Fri, 06 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
Title oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Middleapi Orpc
Orpc Orpc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:53:35.764Z

Reserved: 2026-03-03T14:25:19.245Z

Link: CVE-2026-28794

cve-icon Vulnrichment

Updated: 2026-03-09T19:53:31.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:40.297

Modified: 2026-03-10T19:48:05.813

Link: CVE-2026-28794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses