protobufjs Denial-of-Service Vulnerability via Unescaped Control Characters in Field Names

A denial-of-service vulnerability has been identified in protobufjs versions prior to 7.5.6 and 8.0.2. The issue arises because protobufjs generates JavaScript property accessors from field and oneof names defined in the schema. Certain control characters in these names were not properly escaped before being incorporated into the generated function bodies. As a result, a maliciously crafted schema or JSON descriptor could lead to compilation errors in the generated encoding, decoding, verification, or conversion functions. This vulnerability can be exploited by applications that load untrusted schemas or descriptors, causing the protobufjs runtime code generation to fail and throw a syntax error. However, it is not known to allow code execution on its own.

Impact

Exploitation of this vulnerability causes a syntax error during the protobufjs code generation process, making the affected message types unusable. This creates a denial-of-service condition for applications that load untrusted schemas or descriptors.

Remediation

Users are advised not to load protobuf schemas or JSON descriptors from untrusted sources when using vulnerable versions of protobufjs. If it is necessary to accept untrusted schemas, field names should be validated before loading and any names containing control characters should be rejected.