CVE-2022-25878
Prototype Pollution vulnerability in protobufjs (npm)

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2022-25878 About?

The `protobufjs` package, specifically versions from 6.10.0 to 6.10.3 and 6.11.0 to 6.11.3, is affected by a Prototype Pollution vulnerability. This allows attackers to add or modify properties of the `Object.prototype`, which can lead to various impacts including arbitrary code execution or denial of service. Exploitation is relatively easy by supplying untrusted input.

Affected Software

  • protobufjs
    • >6.11.0, <6.11.3
    • >6.10.0, <6.10.3

Technical Details

The protobufjs package is vulnerable to Prototype Pollution in specified versions. This vulnerability can manifest in multiple ways: (1) When untrusted user input is passed to util.setProperty or ReflectionObject.setParsedOption functions. These functions allow for property assignment on objects, and if the property path within the input contains a __proto__ segment, an attacker can modify the global Object.prototype. (2) By parsing or loading maliciously crafted .proto files. Such files could contain definitions that, when parsed by protobufjs, trigger the __proto__ assignment, leading to prototype pollution. Successful exploitation allows an attacker to inject or modify properties on the global Object.prototype, affecting all objects in the application and potentially leading to denial of service, remote code execution, or data manipulation.

What is the Impact of CVE-2022-25878?

Successful exploitation may allow attackers to inject arbitrary properties into the Object.prototype, which can lead to denial of service, remote code execution, or logic flaws in the application, depending on how arbitrary properties are handled.

What is the Exploitability of CVE-2022-25878?

Exploitation complexity is moderate, requiring the attacker to provide carefully crafted untrusted input, either as direct function parameters or within a .proto file. No authentication or special privileges are typically required. The vulnerability is often remote if the application processes untrusted user input that is then passed to the vulnerable protobufjs functions or used to load .proto files. The key prerequisite is that the application uses a vulnerable version of protobufjs and processes attacker-controlled data without proper sanitization. Risk factors are heightened in applications that expose .proto file uploads or directly desearlialize untrusted data with protobufjs.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-25878?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch prevents assignment to the __proto__ property when using the setProperty function, effectively blocking prototype pollution attacks. By refusing to set properties named __proto__, it mitigates the vulnerability described in CVE-2022-25878, which allows attackers to manipulate object prototypes and potentially compromise application integrity.

Available Upgrade Options

  • protobufjs
    • >6.10.0, <6.10.3 → Upgrade to 6.10.3
  • protobufjs
    • >6.11.0, <6.11.3 → Upgrade to 6.11.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-25878?

Similar Vulnerabilities: CVE-2020-28267 , CVE-2019-10741 , CVE-2019-10756 , CVE-2019-10742 , CVE-2018-3721

All Rights reserved 2025
Privacy Policy