GHSA-xq3m-2v4x-88gg
Remote Code Execution vulnerability in protobufjs (npm)

Remote Code Execution No known exploit

What is GHSA-xq3m-2v4x-88gg About?

This vulnerability in `protobufjs` allows for Remote Code Execution (RCE) by manipulating protobuf definitions. Attackers can inject arbitrary JavaScript code into 'type' fields of these definitions, which then executes during object decoding. This flaw poses a critical risk by allowing arbitrary code execution when untrusted protobuf definition files are processed, and it is relatively easy to exploit with a crafted definition.

Affected Software

  • protobufjs
    • <7.5.5
    • >=8.0.0, <8.0.1

Technical Details

The protobufjs library, which compiles protobuf definitions into JavaScript functions, is vulnerable to remote code execution. Attackers can exploit this by injecting arbitrary JavaScript code into the 'type' fields within protobuf definitions. When the library attempts to decode an object using such a malformed definition, the injected code is executed. The PoC provided demonstrates this by crafting a JSON descriptor with a malicious type field (Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\nfunction X). When protobuf.Root.fromJSON processes this descriptor and UserType.decode is called, the malicious JavaScript payload embedded in the type specification is executed, leading to arbitrary code execution.

What is the Impact of GHSA-xq3m-2v4x-88gg?

Successful exploitation may allow attackers to execute arbitrary code on the compromised system with the privileges of the running application, potentially leading to full system compromise, data exfiltration, or further attacks.

What is the Exploitability of GHSA-xq3m-2v4x-88gg?

Exploitation of this vulnerability requires an attacker to control or influence the protobuf definition files used by the target application. This typically involves cases where applications process untrusted protobuf definitions. There are no specific authentication or privilege requirements on the attacker's part beyond the ability to introduce a crafted definition. The execution is remote if the application retrieves and processes these definitions from an untrusted source, or local if the attacker can directly modify definitions on the system. The primary risk factor is the processing of untrusted input in the form of protobuf definition files, which can directly lead to code execution.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-xq3m-2v4x-88gg?

Available Upgrade Options

  • protobufjs
    • <7.5.5 → Upgrade to 7.5.5
  • protobufjs
    • >=8.0.0, <8.0.1 → Upgrade to 8.0.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-xq3m-2v4x-88gg?

Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-49034 , CVE-2023-38501 , CVE-2022-3536 , CVE-2023-29400

All Rights reserved 2025
Privacy Policy