CVE-2022-25878 - Serious Prototype Pollution Vulnerability in Protobufjs Prior to 6.11.3 and Its Potential Exploits

---

Hey all! I've recently come across an important security vulnerability, CVE-2022-25878, in the popular package protobufjs. It affects all versions before 6.11.3, and poses a serious threat due to its prototype pollution. In case you're using protobufjs in your projects, let's get a closer look at the issue, some example code snippets, and the potential exploits.

Overview of the Vulnerability

The vulnerability in protobufjs is rooted in the Prototype Pollution risk, which grants an attacker the ability to add or modify properties of an Object.prototype. Such an exploit can wreak havoc in a variety of ways, compromising essential data and functions in web applications. The vulnerability can be triggered in two different ways:

1. By providing untrusted user input to either util.setProperty or ReflectionObject.setParsedOption functions.

Links to Official References

- CVE-2022-25878
- Original NPM Security Advisory
- GitHub Repository

1. Untrusted User Input to util.setProperty Function

const util = require('protobufjs/src/util.js');

const userData = JSON.parse(userInput);
util.setProperty({}, userData.property, userData.value);

Here, the userInput variable can contain malicious data which is then passed to the util.setProperty function, leading to prototype pollution.

2. Untrusted User Input to ReflectionObject.setParsedOption Function

const protobuf = require('protobufjs');
const descriptor = require('protobufjs/src/declaration.js');
const root = new protobuf.Root();

const reflectionObject = new descriptor.Declaration();
reflectionObject.setParsedOption(userInput.name, userInput.value, root, JSON.parse(userInput.fileComment));

In this example, the userInput carries malevolent content, which is supplied to the ReflectionObject.setParsedOption function, resulting in prototype pollution.

3. Parsing/loading .proto Files

const protobuf = require('protobufjs');
const maliciousProtoFile = '/* malicious code */';

protobuf.parse(maliciousProtoFile);

When an ill-intended actor manipulates .proto files, loading or parsing them with protobufjs can lead to prototype pollution.

Potential Exploits

With the prototype pollution vulnerability, there are several ways attackers can exploit the vulnerability:

1. Denial of Service (DoS): An attacker could modify essential properties or functions of an application, causing it to crash or become unresponsive, thus denying service to legitimate users.
2. Access Control Bypass: By manipulating key properties, such as user roles or permissions, attackers can potentially bypass access controls and gain unauthorized privileges.
3. Code Execution: In instances where user properties are used as part of application logic, an attacker can employ clever input or calculated timing to execute malicious code.
4. Data Leakage: By exploiting the vulnerability, cybercriminals can insert or modify data, potentially revealing sensitive information or creating a channel for ongoing data theft.

To address this vulnerability, please update the protobufjs package to version 6.11.3 or later

npm update protobufjs --depth <depth>

Additionally, it is vital to put measures that restrict unknown external inputs from being fed into critical functions and ensure the security of your application.

Timeline

Published on: 05/27/2022 20:15:00 UTC
Last modified on: 06/08/2022 17:22:00 UTC