protobufjs Option Handling Vulnerability Leading to Process-Wide Denial-of-Service

A denial-of-service vulnerability has been identified in protobufjs versions prior to 7.5.6 and 8.0.2. The issue arises because protobufjs allowed certain schema option paths to traverse inherited object properties while applying options. This could lead to option handling writing to properties on global JavaScript constructors, corrupting built-in functionality across the process. The vulnerability is exploitable when an application loads or parses protobuf schemas or JSON descriptors from untrusted sources using protobufjs reflection APIs.

Impact

Exploitation of this vulnerability can cause a persistent denial-of-service condition for the duration of the affected process, by corrupting the process's built-in state in a way that disrupts normal application or protobufjs operations.

Remediation

Users can upgrade to protobufjs versions 7.5.6 or 8.0.2 to address this vulnerability. If untrusted schemas must be accepted, it is recommended to validate or reject option names containing unsafe property path components before loading them, and to run schema processing in an isolated process.