CVE-2020-7768
Prototype Pollution vulnerability in grpc
What is CVE-2020-7768 About?
The `grpc` package before 1.24.4 and `@grpc/grpc-js` before 1.1.8 are vulnerable to Prototype Pollution via `loadPackageDefinition`. This allows an attacker to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service or arbitrary code execution. Exploitation requires the ability to provide untrusted input to this specific function.
Affected Software
- grpc
- <1.24.4
- @grpc/grpc-js
- <1.1.8
Technical Details
The `grpc` package (before 1.24.4) and `@grpc/grpc-js` (before 1.1.8) are susceptible to a Prototype Pollution vulnerability rooted in the `loadPackageDefinition` function. This function is responsible for loading and parsing gRPC service definitions. If `loadPackageDefinition` incorrectly handles or merges untrusted input, an attacker can craft a payload that injects arbitrary properties into the `Object.prototype`. Once `Object.prototype` is polluted, code anywhere in the application that accesses these properties on an uninitialized or non-existent object will inherit the attacker-controlled value, potentially altering program logic, leading to denial of service by crashing the application, or in some cases, achieving arbitrary code execution by manipulating critical application behavior.
What is the Impact of CVE-2020-7768?
Successful exploitation may allow attackers to cause a denial of service, manipulate application logic, or potentially achieve arbitrary code execution, leading to data breaches or system compromise.
What is the Exploitability of CVE-2020-7768?
Exploitation complexity is moderate. An attacker needs to provide specially crafted input that is processed by the `loadPackageDefinition` function. No specific authentication or privilege is required if the gRPC service definition loading process allows untrusted input. This is typically a remote attack, where an attacker interacts with a gRPC service that uses the vulnerable library to load its definitions from an external source. The primary prerequisite is an application using the vulnerable versions of `grpc` or `@grpc/grpc-js` and processing package definitions from potentially untrusted sources. The risk is increased if the application dynamically loads gRPC package definitions based on user input or external configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7768?
Available Upgrade Options
- @grpc/grpc-js
- <1.1.8 → Upgrade to 1.1.8
- grpc
- <1.24.4 → Upgrade to 1.24.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-GRPC-598671
- https://github.com/grpc/grpc-node/pull/1605
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819
- https://www.npmjs.com/package/@grpc/grpc-js
- https://github.com/grpc/grpc-node/pull/1606
- https://github.com/grpc/grpc-node/pull/1605
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819
- https://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818
- https://www.npmjs.com/package/grpc
- https://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4
What are Similar Vulnerabilities to CVE-2020-7768?
Similar Vulnerabilities: CVE-2020-7788 , CVE-2020-7760 , CVE-2020-7769 , CVE-2020-7770 , CVE-2020-7771
