PRIOn knowledge basePRION:CVE-2023-36665

HistoryJul 05, 2023 - 2:15 p.m.

Design/Logic Flaw

2023-07-0514:15:00

PRIOn knowledge base

www.prio-n.com

protobuf.js

prototype pollution

object.prototype

cve-2022-25878

exploitation

parse

.proto files

untrusted input

8.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.0%

JSON

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

CPENameOperatorVersion
protobufjsge6.10.0
protobufjslt7.2.4

CPE	Name	Operator	Version
	protobufjs	ge	6.10.0
	protobufjs	lt	7.2.4

References

github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d

github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4

github.com/protobufjs/protobuf.js/pull/1899

github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4

www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665