CVE-2023-36665 Overview
protobuf.js (aka protobufjs) versions 6.10.0 through 7.x before 7.2.5 are vulnerable to Prototype Pollution, a distinct vulnerability from CVE-2022-25878. This vulnerability allows an attacker to use a user-controlled protobuf message to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can occur through multiple attack vectors: (1) using the parse function to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
Critical Impact
This Prototype Pollution vulnerability enables attackers to manipulate JavaScript object prototypes, potentially leading to remote code execution, denial of service, or security bypass in applications using vulnerable protobuf.js versions.
Affected Products
- protobuf.js versions 6.10.0 through 7.2.4 (Node.js)
- Applications using vulnerable protobufjs_project protobufjs packages
- Systems processing untrusted protobuf messages or .proto files
Discovery Timeline
- July 5, 2023 - CVE-2023-36665 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-36665
Vulnerability Analysis
This Prototype Pollution vulnerability exists in protobuf.js due to insufficient validation of property paths in the util.setProperty function. The function allows setting nested object properties based on a path string, but prior to the fix, it only blocked the __proto__ property while failing to block the prototype property. This incomplete safeguard allows attackers to pollute the prototype chain of JavaScript objects.
Prototype Pollution is particularly dangerous in Node.js environments because modifications to Object.prototype affect all objects in the application, potentially enabling attackers to inject malicious properties that get inherited by security-critical objects. The vulnerability can be triggered through three distinct code paths: parsing protobuf messages dynamically, loading .proto definition files, or directly calling the vulnerable utility functions with attacker-controlled input.
Root Cause
The root cause lies in the util.setProperty function in src/util.js, which implemented an incomplete blocklist for dangerous property names. While the original code prevented setting __proto__ (the legacy prototype accessor), it failed to block prototype (the constructor prototype property). Both properties can be used to achieve prototype pollution in JavaScript, making the mitigation insufficient.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending a maliciously crafted protobuf message or .proto file to an application that processes untrusted input using protobuf.js. The attacker includes specially crafted field names or options that, when processed by the vulnerable functions, write properties to Object.prototype.
util.setProperty = function setProperty(dst, path, value) {
function setProp(dst, path, value) {
var part = path.shift();
- if (part === "__proto__") {
+ if (part === "__proto__" || part === "prototype") {
return dst;
}
if (path.length > 0) {
Source: GitHub Commit e66379f
The security patch adds prototype to the blocklist alongside __proto__, preventing both known vectors for prototype pollution attacks.
Detection Methods for CVE-2023-36665
Indicators of Compromise
- Unexpected properties appearing on Object.prototype in application memory
- Application behavior anomalies after processing protobuf messages from untrusted sources
- Error logs indicating property access on unexpected prototype chain elements
- Signs of prototype pollution attacks such as authentication bypasses or unauthorized data access
Detection Strategies
- Audit package.json and package-lock.json files for protobufjs versions between 6.10.0 and 7.2.4
- Use software composition analysis (SCA) tools to scan for vulnerable protobuf.js dependencies
- Implement runtime monitoring to detect modifications to Object.prototype
- Review application logs for suspicious protobuf message processing errors
Monitoring Recommendations
- Monitor for unexpected application behavior after protobuf message processing
- Implement integrity checks on Object.prototype in security-sensitive applications
- Enable detailed logging for protobuf parsing operations in production environments
- Use Node.js security modules that can detect prototype pollution attempts
How to Mitigate CVE-2023-36665
Immediate Actions Required
- Upgrade protobuf.js to version 7.2.5 or later immediately
- Audit applications to identify all instances of protobuf.js usage
- Review code paths that process untrusted protobuf messages or load external .proto files
- Consider implementing Object.freeze on Object.prototype as a defense-in-depth measure
Patch Information
The vulnerability is fixed in protobuf.js version 7.2.5. The fix adds prototype to the blocklist in the util.setProperty function, preventing attackers from using either __proto__ or prototype to pollute the object prototype chain. Organizations should update to the patched version through their package manager.
For detailed patch information, see the GitHub Pull Request #1899 and the version comparison between 7.2.3 and 7.2.4.
Workarounds
- Avoid processing protobuf messages or .proto files from untrusted sources until patched
- Implement input validation to reject protobuf content containing suspicious property paths
- Use Object.freeze(Object.prototype) at application startup as a temporary mitigation
- Isolate protobuf processing in sandboxed environments with limited privileges
# Update protobuf.js to the patched version
npm update protobufjs@latest
# Verify installed version is 7.2.5 or later
npm list protobufjs
# Alternative: Pin to specific patched version
npm install protobufjs@7.2.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
