Vulnerabilities > CVE-2022-25878 - Unspecified vulnerability in Protobufjs Project Protobufjs
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
Vulnerable Configurations
References
- https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197
- https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197
- https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
- https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
- https://github.com/protobufjs/protobuf.js/pull/1731
- https://github.com/protobufjs/protobuf.js/pull/1731
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
- https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
- https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248