SCA: security update for @replit/crosis (GHSA-7w54-gp8x-f33m)

medium Tenable Cloud Security Plugin ID 412299

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- @replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that
involves exposure of sensitive information exists in versions prior to 7.3.1. When using this library as a
way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed
attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback
poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could
potentially reach a server that is outside of Replit's control and the token used to connect to the Repl
could be obtained by an attacker, leading to full compromise of that Repl (not of the account). This was
patched in version 7.3.1 by updating the address of the fallback WebSocket polling proxy to the new one.
As a workaround, a user may specify the new address for the polling host (`gp-v2.replit.com`) in the
`ConnectArgs`. More information about this workaround is available in the GitHub Security Advisory.
(CVE-2022-21671)

See Also

https://github.com/advisories/GHSA-7w54-gp8x-f33m

Plugin Details

Severity: Medium

ID: 412299

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-21671

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/12/2022

Vulnerability Publication Date: 1/11/2022

Reference Information

CVE: CVE-2022-21671

cwe: CWE-200