CVE-2023-36665 – protobufjs

Package

Manager: npm
Name: protobufjs
Vulnerable Version: >=7.0.0 <7.2.5 || >=6.10.0 <6.11.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01673 pctl0.81408

Details

protobufjs Prototype Pollution vulnerability protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about `Object.constructor.prototype.<new-property> = ...;` whereas CVE-2022-25878 was about `Object.__proto__.<new-property> = ...;` instead.

Metadata

Created: 2023-07-05T15:30:24Z
Modified: 2024-06-28T18:31:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h755-8qp9-cq85/GHSA-h755-8qp9-cq85.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-h755-8qp9-cq85
Finding: F390
Auto approve: 1