protobufjs Prototype Pollution Vulnerability Leading to Arbitrary Code Execution

A vulnerability in protobufjs versions prior to 7.5.6 and 8.0.2 allows for prototype pollution, which can be exploited to execute arbitrary JavaScript code. This issue arises because protobufjs used plain objects with inherited prototypes for internal type lookup tables. If Object.prototype had been polluted, these lookup tables could misinterpret attacker-controlled inherited properties as valid protobuf type information. Consequently, strings controlled by an attacker could be injected into the generated JavaScript code. The vulnerability requires a separate prototype pollution exploit to be triggered before protobufjs is used, and applications must be processing untrusted input that can affect Object.prototype.

Impact

Exploitation of this vulnerability, following a successful prototype pollution attack, could lead to arbitrary execution of JavaScript code within the application.

Remediation

Users can upgrade to protobufjs versions 7.5.6 or 8.0.2 to address this vulnerability. If an immediate upgrade is not feasible, it is recommended to remove or mitigate any reachable prototype pollution primitives and isolate schema or message processing from untrusted application state.