protobufjs Code Injection Vulnerability in Generated toObject Conversion

A code injection vulnerability has been identified in protobufjs versions prior to 7.5.6 and 8.0.2. The issue arises in the JavaScript functions generated for 'toObject' conversion, where an unsafe expression could be introduced based on a schema-controlled default value of a bytes field. If a descriptor is crafted with a non-string default value for a bytes field, it can lead to the emission of attacker-controlled code into the conversion function. This vulnerability allows for the execution of arbitrary JavaScript in the context of the process using protobufjs, but only if the application loads an untrusted schema or descriptor and converts a message of the affected type with default values enabled.

Impact

Exploitation of this vulnerability could result in arbitrary code execution within the process that uses protobufjs.

Remediation

Users are advised to update to protobufjs versions 7.5.6 or 8.0.2. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.