Plattform
nodejs
Komponente
protobufjs
Behoben in
6.11.3
6.11.3
CVE-2022-25878 describes a Prototype Pollution vulnerability within the protobufjs library. This flaw allows attackers to inject or modify properties of the Object.prototype, potentially leading to unexpected behavior and, in some scenarios, code execution. The vulnerability impacts versions 6.10.0 through 6.10.3 and 6.11.0 through 6.11.3. A fix is available in version 6.11.3.
Prototype Pollution vulnerabilities arise when an attacker can control the values used to populate an object prototype. In the case of protobufjs, this can occur through untrusted user input provided to util.setProperty or ReflectionObject.setParsedOption functions, or by parsing/loading malicious .proto files. Successful exploitation can allow an attacker to inject arbitrary properties into all objects in the JavaScript runtime, potentially leading to denial-of-service conditions by corrupting object structures or enabling unexpected behavior. While direct remote code execution is unlikely, the ability to modify core JavaScript object properties can have far-reaching consequences within a Node.js application.
This vulnerability was publicly disclosed on May 28, 2022. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, indicating a moderate risk of exploitation. The vulnerability's impact is primarily related to application stability and data integrity, rather than direct remote code execution.
Applications built using Node.js that rely on the protobufjs library for data serialization and deserialization are at risk. This includes applications that process data from untrusted sources, such as user-uploaded files or external APIs, and those that parse .proto files without proper validation.
• nodejs / server:
npm list protobufjs• nodejs / server:
npm audit protobufjs• generic web: Inspect application logs for unusual object property modifications or errors related to protobuf parsing. Look for patterns of unexpected property names being added to objects.
disclosure
Exploit-Status
EPSS
0.42% (62% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-25878 is to upgrade to protobufjs version 6.11.3 or later. If upgrading is not immediately feasible, consider implementing input validation to sanitize user-provided data before passing it to util.setProperty or ReflectionObject.setParsedOption. Additionally, carefully review and validate any .proto files being parsed by the application. WAF rules can be configured to block requests containing suspicious .proto file content. There are no specific Sigma or YARA rules available for this vulnerability at this time.
Aktualisieren Sie die protobufjs-Abhängigkeit auf Version 6.11.3 oder höher. Dies behebt die Prototype Pollution-Schwachstelle. Führen Sie `npm install protobufjs@latest` oder `yarn upgrade protobufjs` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-25878 is a Prototype Pollution vulnerability affecting protobufjs versions 6.10.0–6.10.3 and 6.11.0–6.11.3, allowing attackers to modify Object.prototype.
You are affected if your application uses protobufjs versions 6.10.0–6.10.3 or 6.11.0–6.11.3 and processes untrusted data or .proto files.
Upgrade to protobufjs version 6.11.3 or later. Implement input validation for user-provided data and sanitize .proto files.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes exploitation possible.
Refer to the official protobufjs GitHub repository for updates and advisories: https://github.com/protobufjs/protobufjs
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.