protobuf.js icon indicating copy to clipboard operation
protobuf.js copied to clipboard

Published 20 hours ago verified publisher icon protobufjs

CVE-2022-25878 - Fix for version 5.0.3

Open shacharkabi1 opened this issue 2 years ago • 3 comments

protobuf.js version: 5.0.3

I would like to fork a new branch for version 5.0.3 in order to solve CVE-2022-25878 , but I couldn't understand where the exposed code in this version , any idea ?

Also I would like to upgrade to a newer version , but couldn't find any document that describe migration steps to do it. it's seems to have a lots of breaking changes , and it's very hard to upgrade this package.

shacharkabi1 avatar Aug 01 '23 08:08 shacharkabi1

According to NIST the setProperty() function in the src/utils allows for modification of Object prototype properties via certain accessors, such as prototype. A remote attacker can exploit this vulnerability with crafter JSON data that, when consumed by the vulnerable function, may modify the prototyped behavior of objects. 6.8.8 seems fine as well, if you wanna work on this I can help you.

memartello avatar Aug 03 '23 16:08 memartello

Hi @memartello thanks for your answer. I don't see src/utils file in version 5.0.3. am I'm missing something ?

shacharkabi1 avatar Aug 06 '23 05:08 shacharkabi1

Hi @memartello any updates ?

shacharkabi1 avatar Sep 10 '23 07:09 shacharkabi1