CVE-2023-36665
Prototype Pollution vulnerability in protobufjs
What is CVE-2023-36665 About?
protobuf.js (versions 6.10.0-6.11.3 and 7.0.0-7.2.3) is vulnerable to Prototype Pollution, distinct from CVE-2022-25878. A user-controlled protobuf message can be leveraged by an attacker to add or overwrite properties on `Object.prototype`, impacting all objects in the application. This can lead to arbitrary code execution, denial of service, or other malicious behavior, and its ease of exploitation hinges on how the application processes untrusted protobuf input.
Affected Software
- protobufjs
- >6.10.0, <6.11.4
- >7.0.0, <7.2.5
Technical Details
This Prototype Pollution vulnerability in protobuf.js allows an attacker to inject properties into `Object.prototype`, which then affects all objects in the JavaScript application due to prototypal inheritance. The attack vectors involve providing untrusted input through specific functions of the library. An attacker can craft a protobuf message that, when parsed by `parse` or loaded via `load`/`loadSync` functions, or when passed to `ReflectionObject.setParsedOption` or `util.setProperty`, manipulates the `Object.constructor.prototype` chain. Specifically, the vulnerability allows for `Object.constructor.prototype.<new-property> = ...;` attacks. By setting arbitrary properties on `Object.prototype`, an attacker can modify application logic, bypass security checks, or trigger unexpected behavior.
What is the Impact of CVE-2023-36665?
Successful exploitation may allow attackers to execute arbitrary code, modify application data, bypass security mechanisms, or cause a denial of service, leading to various forms of system compromise.
What is the Exploitability of CVE-2023-36665?
Exploitation requires the ability to supply untrusted, specially crafted protobuf messages or related input to an application using protobuf.js. The complexity of crafting such input can range from moderate to high, depending on the specific attack vector chosen (e.g., `parse`, `load`, or `ReflectionObject.setParsedOption`). No authentication is explicitly stated, implying that if the application processes untrusted protobuf from external sources (e.g., API requests), an unauthenticated attacker could trigger it. Privilege requirements are those of the running application. This is typically a remote vulnerability, given that protobuf messages are often exchanged over networks. Risk factors include applications that deserialize untrusted protobuf messages without proper input validation or sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-36665?
About the Fix from Resolved Security
The patch adds tests to ensure that dangerous property paths like "proto.test", "prototype.test", and "constructor.prototype.test" do not mutate global object prototypes. This prevents prototype pollution, thereby fixing CVE-2023-36665, which stems from attackers exploiting such mutations to introduce unexpected or malicious behavior across all objects in the environment.
Available Upgrade Options
- protobufjs
- >6.10.0, <6.11.4 → Upgrade to 6.11.4
- protobufjs
- >7.0.0, <7.2.5 → Upgrade to 7.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
- https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
- https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
- https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
- https://nvd.nist.gov/vuln/detail/CVE-2023-36665
- https://security.netapp.com/advisory/ntap-20240628-0006
- https://github.com/protobufjs/protobuf.js/issues/1918#issuecomment-1723500294
- https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
- https://security.netapp.com/advisory/ntap-20240628-0006/
What are Similar Vulnerabilities to CVE-2023-36665?
Similar Vulnerabilities: CVE-2022-25878 , CVE-2021-23358 , CVE-2020-28469 , CVE-2020-7788 , CVE-2020-7798
