Vulnerability identifier: #VU78870
Vulnerability risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID:
CWE-ID:
CWE-1321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
protobuf.js
Universal components / Libraries /
Programming Languages & Components
Vendor: protobuf.js
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pollute the prototype of Object.prototype by adding and overwriting its data and functions.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versions
protobuf.js: before 7.2.4
External links
https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
https://github.com/protobufjs/protobuf.js/pull/1899
https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.