CVE-2026-28794 Overview
CVE-2026-28794 is a critical prototype pollution vulnerability affecting the oRPC framework, a tool designed to help developers build APIs that are end-to-end type-safe and adhere to OpenAPI standards. The vulnerability exists in the RPC JSON deserializer of the @orpc/client package and allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype.
Because prototype pollution persists for the lifetime of the Node.js process and affects all objects created thereafter, exploitation of this vulnerability can lead to severe security breaches including authentication bypass, denial of service, and potentially Remote Code Execution (RCE).
Critical Impact
Remote unauthenticated attackers can pollute the JavaScript Object prototype, affecting all objects in the Node.js process and potentially achieving authentication bypass, DoS, or RCE.
Affected Products
- oRPC versions prior to 1.13.6
- @orpc/client package (all versions before the security patch)
- Applications using oRPC for API development with JSON deserialization
Discovery Timeline
- 2026-03-06 - CVE-2026-28794 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28794
Vulnerability Analysis
This prototype pollution vulnerability occurs in the JSON deserialization logic within the @orpc/client package. The deserializer processes incoming JSON data and reconstructs JavaScript objects by traversing path segments to set values at specific object locations. Prior to the patch, the code did not validate whether the target property actually existed on the object being modified.
An attacker can craft malicious JSON payloads containing specially constructed path segments such as __proto__ or constructor.prototype. When the deserializer processes these payloads, it inadvertently writes attacker-controlled values to the global Object.prototype. Since all JavaScript objects inherit from Object.prototype, this pollution affects every object created in the application, potentially overwriting security-critical properties used in authentication checks, configuration, or business logic.
Root Cause
The root cause is insufficient input validation during the deserialization process. The vulnerable code traverses object paths without verifying that each path segment corresponds to an actual, existing property on the target object. This allows attackers to navigate to prototype properties (__proto__, constructor.prototype) and inject arbitrary key-value pairs that become inherited by all objects.
The deserializer blindly trusted the path segments provided in the serialized data, creating an object traversal mechanism that could be abused to reach and modify prototype chains.
Attack Vector
This vulnerability is exploitable remotely over the network without authentication. An attacker can send specially crafted JSON-RPC requests to an oRPC endpoint containing malicious path references. The attack requires no user interaction and has low complexity, making it highly exploitable in exposed oRPC deployments.
The attack flow typically involves:
- Sending a JSON payload with path segments targeting __proto__ or constructor.prototype
- The deserializer traverses to the prototype object
- Malicious properties are injected into Object.prototype
- All subsequent object operations in the Node.js process inherit the polluted properties
segments.forEach((segment) => {
currentRef = currentRef[preSegment]
preSegment = segment
+ if (!Object.hasOwn(currentRef, preSegment)) {
+ throw new Error(`Security error: accessing non-existent path during deserialization. Path segment: ${preSegment}`)
+ }
})
currentRef[preSegment] = getBlob(i)
Source: GitHub Commit 1dba06fc6f938c2486de303c2fa096bc1c8418b5
The patch adds a critical security check using Object.hasOwn() to verify that each path segment being accessed actually exists as an own property on the current object reference. If an attacker attempts to traverse to a non-existent or prototype-inherited property, the deserializer now throws a security error, preventing prototype pollution.
Detection Methods for CVE-2026-28794
Indicators of Compromise
- Unexpected properties appearing on JavaScript objects that were not explicitly defined
- Authentication mechanisms failing or behaving unexpectedly across the application
- Application logic errors involving undefined or unexpected property values
- Unusual JSON-RPC requests containing __proto__, constructor, or prototype path segments in request bodies
Detection Strategies
- Implement request logging and analyze JSON-RPC payloads for prototype pollution patterns (__proto__, constructor.prototype)
- Deploy Web Application Firewalls (WAF) with rules to detect and block requests containing prototype pollution payloads
- Use runtime application self-protection (RASP) tools to monitor for prototype modifications
- Implement integrity monitoring on critical Object.prototype properties
Monitoring Recommendations
- Monitor application logs for deserialization errors or security exceptions from the oRPC client
- Set up alerts for unexpected application behavior that could indicate prototype pollution (authentication anomalies, configuration changes)
- Track Node.js process stability and watch for crashes or hangs that could indicate DoS via prototype pollution
- Audit incoming API traffic for anomalous JSON structures targeting object prototypes
How to Mitigate CVE-2026-28794
Immediate Actions Required
- Upgrade @orpc/client to version 1.13.6 or later immediately
- Review application logs for any evidence of exploitation attempts
- Consider restarting Node.js processes to clear any existing prototype pollution
- Implement input validation at the API gateway level to reject suspicious payloads
Patch Information
The vulnerability has been patched in oRPC version 1.13.6. The fix implements a security check using Object.hasOwn() to ensure that path segments during deserialization reference actual own properties of the object, preventing traversal to prototype properties.
Review the GitHub Security Advisory GHSA-m272-9rp6-32mc for complete details. The patch commit is available for review.
Workarounds
- If immediate upgrade is not possible, implement a reverse proxy or WAF rule to block requests containing __proto__ or constructor in JSON payloads
- Consider freezing Object.prototype using Object.freeze(Object.prototype) at application startup (note: this may break some libraries)
- Implement custom request validation middleware to sanitize incoming JSON before it reaches the oRPC deserializer
- Isolate oRPC services in separate Node.js processes to limit the blast radius of potential prototype pollution
# Upgrade oRPC to patched version
npm update @orpc/client@1.13.6
# Or install specific patched version
npm install @orpc/client@1.13.6
# Verify installed version
npm list @orpc/client
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
