Platform
nodejs
Component
protobufjs
Fixed in
6.11.3
6.11.3
CVE-2022-25878 describes a Prototype Pollution vulnerability within the protobufjs library. This flaw allows attackers to inject or modify properties of the Object.prototype, potentially leading to unexpected behavior and, in some scenarios, code execution. The vulnerability impacts versions 6.10.0 through 6.10.3 and 6.11.0 through 6.11.3. A fix is available in version 6.11.3.
Prototype Pollution vulnerabilities arise when an attacker can control the values assigned to properties of the Object.prototype. This can have far-reaching consequences, as these modified properties are inherited by all objects in JavaScript. In the context of protobufjs, an attacker could exploit this by injecting malicious properties during the parsing of .proto files or by directly manipulating the util.setProperty or ReflectionObject.setParsedOption functions with untrusted user input. This could lead to denial of service, information disclosure, or even remote code execution, depending on how the protobufjs library is used within the application. The impact is amplified if the application relies heavily on the default behavior of JavaScript objects.
This vulnerability was publicly disclosed on May 28, 2022. There is currently no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released, but the nature of Prototype Pollution vulnerabilities makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.42% (62% percentile)
CVSS Vector
The primary mitigation for CVE-2022-25878 is to upgrade to version 6.11.3 or later of the protobufjs library. If upgrading is not immediately feasible, consider implementing input validation to sanitize any user-provided data before it is used in util.setProperty or ReflectionObject.setParsedOption. Additionally, carefully review any .proto files being parsed to ensure their integrity and prevent malicious content from being introduced. While not a direct fix, employing a Web Application Firewall (WAF) with prototype pollution detection rules can provide an additional layer of defense. There are no specific Sigma or YARA rules available for this vulnerability at this time.
Update the protobufjs dependency to version 6.11.3 or higher. This corrects the Prototype Pollution vulnerability. Run `npm install protobufjs@latest` or `yarn upgrade protobufjs` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-25878 is a Prototype Pollution vulnerability affecting protobufjs versions 6.10.0–6.10.3 and 6.11.0–6.11.3, allowing attackers to modify Object.prototype.
You are affected if your application uses protobufjs versions 6.10.0–6.10.3 or 6.11.0–6.11.3 and processes untrusted data or .proto files.
Upgrade to protobufjs version 6.11.3 or later. Implement input validation for user-provided data and sanitize .proto files.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes exploitation possible.
Refer to the official protobufjs GitHub repository for updates and advisories: https://github.com/protobufjs/protobufjs
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.