protobufjs Overlong UTF-8 Byte Sequence Handling Vulnerability Bypassing Application-Level Validation

A vulnerability exists in protobufjs versions prior to 7.5.6 and 8.0.2, where the library's UTF-8 decoder improperly handled overlong byte sequences. Instead of rejecting these sequences, the decoder converted them to their canonical characters. This flaw allows an attacker to manipulate protobuf binary data, potentially bypassing application-level checks that examine raw bytes before decoding strings. The issue is particularly relevant in contexts where decoded strings are used in security-sensitive situations.

Impact

Exploitation of this vulnerability could lead to a bypass of byte-level validation checks, allowing for the introduction of unexpected ASCII characters into decoded strings. The actual impact would depend on how the affected application processes these strings.

Remediation

Users can upgrade to protobufjs versions 7.5.6 or 8.0.2. For applications using the @protobufjs/utf8 package, version 1.1.1 is available. It is also recommended to validate decoded strings in security-sensitive contexts and to use native UTF-8 decoding when possible.