Headline
CVE-2023-36665: fix: do not let setProperty change the prototype (#1899) · protobufjs/protobuf.js@e66379f
protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about “Object.constructor.prototype.<new-property> = …;” whereas CVE-2022-25878 was about “Object.proto.<new-property> = …;” instead.
Expand Up
@@ -95,6 +95,15 @@ tape.test("util", function(test) {
util.setProperty(o, 'prop.subprop’, { subsub2: 7});
test.same(o, {prop1: [5, 6], prop: {subprop: [{subsub: [5,6]}, {subsub2: 7}]}}, “should convert nested properties to array”);
util.setProperty({}, "__proto__.test", “value”);
test.is({}.test, undefined);
util.setProperty({}, "prototype.test", “value”);
test.is({}.test, undefined);
util.setProperty({}, "constructor.prototype.test", “value”);
test.is({}.test, undefined);
test.end();
});
Expand Down