CVE-2022-25878 – CVE-2022-25878 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2022-25878?

CVE-2022-25878 has a CVSS score of 8.2 (HIGH). CVE-2022-25878 is a prototype pollution vulnerability in protobufjs library that allows attackers to modify JavaScript object prototypes. This can lead to denial of service, remote code execution, or privilege escalation. Any application using vulnerable versions of protobufjs for parsing untrusted .proto files or processing untrusted user input is affected.

📋 TL;DR

CVE-2022-25878 is a prototype pollution vulnerability in protobufjs library that allows attackers to modify JavaScript object prototypes. This can lead to denial of service, remote code execution, or privilege escalation. Any application using vulnerable versions of protobufjs for parsing untrusted .proto files or processing untrusted user input is affected.

💻 Affected Systems

Products:

protobufjs
Any application/library using protobufjs

Versions: All versions before 6.11.3

Operating Systems: All platforms running Node.js/JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing untrusted .proto files or when untrusted input reaches util.setProperty or ReflectionObject.setParsedOption functions.

📦 What is this software?

Protobufjs by Protobufjs Project

View all CVEs affecting Protobufjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior modification.

🟢

If Mitigated

Limited impact if input validation prevents untrusted data from reaching vulnerable functions.

🌐 Internet-Facing: HIGH - Web applications accepting untrusted .proto files or user input are directly exploitable.

🏢 Internal Only: MEDIUM - Internal services processing untrusted data remain vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code exists in public repositories. Exploitation requires attacker to control input to vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.11.3 and later

Vendor Advisory: https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-5gwq-46m7-23f3

Restart Required: Yes

Instructions:

1. Update package.json to specify protobufjs >=6.11.3. 2. Run 'npm update protobufjs' or 'yarn upgrade protobufjs'. 3. Restart all affected applications/services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize all user input before passing to protobufjs functions

Freeze Object.prototype

all

Prevent prototype pollution by freezing Object.prototype (may break functionality)

Object.freeze(Object.prototype)

🧯 If You Can't Patch

Implement strict input validation for all .proto files and user input
Isolate protobufjs processing in sandboxed environments or containers

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list protobufjs' to see installed version

Check Version:

npm list protobufjs | grep protobufjs

Verify Fix Applied:

Confirm installed version is 6.11.3 or higher with 'npm list protobufjs'

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual .proto file parsing errors
Memory usage spikes

Network Indicators:

Requests with malformed .proto files
Unexpected outbound connections after .proto processing

SIEM Query:

source="application.log" AND ("protobufjs" OR ".proto") AND ("crash" OR "error" OR "unexpected")

📊 Metadata

CVE ID: CVE-2022-25878

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-1321

Published: May 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197 Broken Link
https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f Patch,Third Party Advisory
https://github.com/protobufjs/protobuf.js/pull/1731 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507 Exploit,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248 Exploit,Patch,Third Party Advisory
https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197 Broken Link
https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f Patch,Third Party Advisory
https://github.com/protobufjs/protobuf.js/pull/1731 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507 Exploit,Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25878, you might also want to check these: