Vulnerability identifier: #VU78870

Vulnerability risk: Critical

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-36665

CWE-ID: CWE-1321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
protobuf.js
Universal components / Libraries / Programming Languages & Components

Vendor:

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pollute the prototype of Object.prototype by adding and overwriting its data and functions.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

---

External links
http://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
http://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
http://github.com/protobufjs/protobuf.js/pull/1899
http://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
http://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.