CVE-2022-25878
Prototype Pollution vulnerability in protobufjs

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2022-25878 About?

The `protobufjs` package, specifically versions from 6.10.0 to 6.10.3 and 6.11.0 to 6.11.3, is affected by a Prototype Pollution vulnerability. This allows attackers to add or modify properties of the `Object.prototype`, which can lead to various impacts including arbitrary code execution or denial of service. Exploitation is relatively easy by supplying untrusted input.

Affected Software

  • protobufjs
    • >6.11.0, <6.11.3
    • >6.10.0, <6.10.3

Technical Details

The `protobufjs` package is vulnerable to Prototype Pollution in specified versions. This vulnerability can manifest in multiple ways: (1) When untrusted user input is passed to `util.setProperty` or `ReflectionObject.setParsedOption` functions. These functions allow for property assignment on objects, and if the property path within the input contains a `__proto__` segment, an attacker can modify the global `Object.prototype`. (2) By parsing or loading maliciously crafted `.proto` files. Such files could contain definitions that, when parsed by `protobufjs`, trigger the `__proto__` assignment, leading to prototype pollution. Successful exploitation allows an attacker to inject or modify properties on the global `Object.prototype`, affecting all objects in the application and potentially leading to denial of service, remote code execution, or data manipulation.

What is the Impact of CVE-2022-25878?

Successful exploitation may allow attackers to inject arbitrary properties into the Object.prototype, which can lead to denial of service, remote code execution, or logic flaws in the application, depending on how arbitrary properties are handled.

What is the Exploitability of CVE-2022-25878?

Exploitation complexity is moderate, requiring the attacker to provide carefully crafted untrusted input, either as direct function parameters or within a `.proto` file. No authentication or special privileges are typically required. The vulnerability is often remote if the application processes untrusted user input that is then passed to the vulnerable `protobufjs` functions or used to load `.proto` files. The key prerequisite is that the application uses a vulnerable version of `protobufjs` and processes attacker-controlled data without proper sanitization. Risk factors are heightened in applications that expose `.proto` file uploads or directly desearlialize untrusted data with `protobufjs`.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-25878?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch prevents assignment to the __proto__ property when using the setProperty function, effectively blocking prototype pollution attacks. By refusing to set properties named __proto__, it mitigates the vulnerability described in CVE-2022-25878, which allows attackers to manipulate object prototypes and potentially compromise application integrity.

Available Upgrade Options

  • protobufjs
    • >6.10.0, <6.10.3 → Upgrade to 6.10.3
  • protobufjs
    • >6.11.0, <6.11.3 → Upgrade to 6.11.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-25878?

Similar Vulnerabilities: CVE-2020-28267 , CVE-2019-10741 , CVE-2019-10756 , CVE-2019-10742 , CVE-2018-3721

All Rights reserved 2025
Privacy Policy