CVE-2022-25878 Overview
CVE-2022-25878 is a Prototype Pollution vulnerability in the protobufjs package before version 6.11.3. This vulnerability allows an attacker to add or modify properties of Object.prototype, potentially leading to property injection, denial of service, or in some cases, remote code execution depending on how the application uses the polluted objects.
The vulnerability can be triggered through multiple attack vectors: by providing untrusted user input to the util.setProperty or ReflectionObject.setParsedOption functions, or by parsing/loading malicious .proto files.
Critical Impact
Attackers can manipulate the JavaScript Object prototype chain through malicious input, potentially affecting all objects in the application and leading to unauthorized property modification or application compromise.
Affected Products
- protobufjs versions prior to 6.11.3
- Applications using protobufjs via Node.js package manager
- Java applications using protobufjs through WebJars (org.webjars.npm)
Discovery Timeline
- May 27, 2022 - CVE CVE-2022-25878 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-25878
Vulnerability Analysis
Prototype Pollution is a JavaScript-specific vulnerability class that occurs when an application allows user-controlled input to modify properties of the base Object.prototype. Since nearly all JavaScript objects inherit from Object.prototype, polluting it can have far-reaching consequences across the entire application.
In protobufjs, the util.setProperty function was vulnerable because it did not properly validate property paths before setting values on destination objects. An attacker could craft input that traverses up the prototype chain using the __proto__ property, thereby injecting arbitrary properties into the global Object prototype.
The impact of this vulnerability includes the ability to modify application behavior by injecting properties that other code paths may rely upon, potential denial of service by corrupting critical object properties, and in certain application contexts, this could escalate to remote code execution.
Root Cause
The root cause lies in the util.setProperty function within src/util.js. The function recursively sets nested properties on an object based on a provided path. Before the fix, there was no validation to prevent the __proto__ property from being used in the path, allowing attackers to escape the intended object scope and modify the global prototype chain.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can exploit this by:
- Sending malicious input to an application endpoint that passes untrusted data to util.setProperty or ReflectionObject.setParsedOption
- Providing a crafted .proto file for parsing that contains prototype-polluting payloads
- Manipulating nested property paths to include __proto__ segments that target the Object prototype
The following patch was applied to remediate the vulnerability by blocking __proto__ traversal:
util.setProperty = function setProperty(dst, path, value) {
function setProp(dst, path, value) {
var part = path.shift();
+ if (part === "__proto__") {
+ return dst;
+ }
if (path.length > 0) {
dst[part] = setProp(dst[part] || {}, path, value);
} else {
Source: GitHub Commit Changes
Detection Methods for CVE-2022-25878
Indicators of Compromise
- Unexpected properties appearing on JavaScript objects that were not explicitly set by application code
- Application behavior anomalies resulting from prototype chain modifications
- Error messages or exceptions related to unexpected object property types or values
- Log entries showing suspicious input containing __proto__, constructor, or prototype strings
Detection Strategies
- Implement Software Composition Analysis (SCA) scanning to identify vulnerable protobufjs versions in your dependency tree
- Use runtime application monitoring to detect attempts to access or modify __proto__ properties
- Deploy Web Application Firewall (WAF) rules to block requests containing prototype pollution payloads
- Integrate dependency scanning in CI/CD pipelines using tools like npm audit or Snyk
Monitoring Recommendations
- Monitor application logs for input patterns containing __proto__, constructor.prototype, or similar prototype pollution signatures
- Set up alerts for unexpected application behavior that could indicate successful prototype pollution
- Track and audit all protobufjs usage points where user input is processed
- Implement integrity monitoring for critical object properties in sensitive application contexts
How to Mitigate CVE-2022-25878
Immediate Actions Required
- Upgrade protobufjs to version 6.11.3 or later immediately
- Audit application code for all usage of util.setProperty and ReflectionObject.setParsedOption functions
- Implement input validation to reject inputs containing prototype-related property names
- Review and restrict sources of .proto files loaded by your application
Patch Information
The vulnerability has been patched in protobufjs version 6.11.3. The fix adds validation in the setProperty function to explicitly block __proto__ property traversal, preventing prototype chain manipulation.
For detailed information about the fix, refer to:
- GitHub Commit Changes
- GitHub Pull Request Discussion
- Snyk JavaScript Vulnerability Report
- Snyk Java Vulnerability Report
Workarounds
- If immediate upgrade is not possible, implement a wrapper function that validates property paths before calling protobufjs functions
- Use Object.freeze(Object.prototype) in application initialization to prevent prototype modifications (note: may cause compatibility issues)
- Validate and sanitize all user input before passing to protobufjs parsing functions
- Avoid loading .proto files from untrusted sources
# Upgrade protobufjs to the patched version
npm update protobufjs@^6.11.3
# Verify installed version
npm list protobufjs
# Run security audit to check for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
