CVE-2022-21671 is a vulnerability identified in the @replit/crosis JavaScript client library, which is used to communicate programmatically with Replit's container protocol. The issue affects versions prior to 7.3.1. The vulnerability arises when the library attempts to establish communication with Replit via WebSocket connections. If multiple failed attempts occur, the library falls back to a poll-based proxy communication method. However, the fallback proxy URL had changed, and the library continued to use the outdated URL. This misconfiguration could cause communication to be routed through a server outside Replit's control. Consequently, sensitive information, specifically the token used to connect to a Repl environment, could be exposed to an unauthorized actor. Possession of this token allows an attacker to fully compromise the targeted Repl instance, although it does not grant access to the broader user account. The vulnerability was addressed in version 7.3.1 by updating the fallback proxy URL to the correct address (gp-v2.replit.com). As a temporary mitigation, users can manually specify the new polling host address in the ConnectArgs configuration. This vulnerability is categorized under CWE-200, indicating exposure of sensitive information to unauthorized actors. There are no known exploits in the wild, and the issue primarily impacts the confidentiality of the Repl tokens during fallback communication. The attack vector requires no authentication but does rely on the client using a vulnerable version of the library and triggering fallback communication. No user interaction is necessary beyond the automated fallback process within the library's operation.

For European organizations leveraging Replit's crosis library in their development workflows or automated systems, this vulnerability could lead to unauthorized disclosure of sensitive tokens that control access to individual Repl environments. While the compromise does not extend to the entire user account, attackers gaining control over a Repl can manipulate code, access stored data, or disrupt services running within that container. This could result in intellectual property theft, data leakage, or service disruption, particularly for organizations using Replit for prototyping, development, or educational purposes. The impact is more pronounced for organizations relying on automated or unattended processes that use the vulnerable library version, as the fallback mechanism is triggered automatically. Given that Replit is a cloud-based platform, any compromise could also affect collaborative projects or shared environments. Although no widespread exploitation has been reported, the exposure risk remains until all affected instances are patched or mitigated. The medium severity rating reflects the limited scope (single Repl compromise) but significant confidentiality impact and ease of exploitation due to the automatic fallback behavior.

1. Upgrade all instances of the @replit/crosis library to version 7.3.1 or later to ensure the fallback proxy URL is correctly set. 2. For environments where immediate upgrade is not feasible, explicitly configure the ConnectArgs to specify the new polling host address (gp-v2.replit.com) to avoid fallback communication to the outdated proxy. 3. Audit existing Repl environments for suspicious activity or unauthorized access, focusing on those using vulnerable library versions. 4. Implement monitoring and alerting on token usage anomalies to detect potential misuse. 5. Educate developers and DevOps teams about the importance of keeping dependencies up to date and verifying fallback mechanisms in client libraries. 6. Consider isolating critical Repl environments and limiting token permissions where possible to reduce the impact of token exposure. 7. Review and tighten network policies to restrict communication to known Replit endpoints, minimizing the risk of tokens being sent to unauthorized servers. 8. Regularly review security advisories from Replit and related dependencies to stay informed about emerging vulnerabilities and patches.