Prototype Pollution
CVE-2022-25878

8.2HIGH

Key Information:

Vendor

Protobufjs Project

Status
Protobufjs
Vendor
CVE Published:
27 May 2022

What is CVE-2022-25878?

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Affected Version(s)

protobufjs < 6.11.3

References

https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
x_refsource_MISC
https://github.com/protobufjs/protobuf.js/blob/d13d5d5688...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alessio Della Libera from Snyk
.