cvedb.io
CVE-2022-21671
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2022-01-11T15:15:08.640 · Last modified 2026-06-17T04:26:43.827

Summary

@replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists in versions prior to 7.3.1. When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account). This was patched in version 7.3.1 by updating the address of the fallback WebSock

Affected products

replit — crosis

Does this affect you?

Add your gear to cvedb and we'll alert you only when replit ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.