Vulnerability Details : CVE-2023-36665
Potential exploit
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
Products affected by CVE-2023-36665
- Protobufjs Project » Protobufjs » For Node.jsVersions from including (>=) 6.10.0 and before (<) 7.2.5cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36665
1.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36665
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-36665
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-36665
-
https://security.netapp.com/advisory/ntap-20240628-0006/
CVE-2023-36665 Protobuf.js Vulnerability in NetApp Products | NetApp Product Security
-
https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
Comparing protobufjs-v7.2.3...protobufjs-v7.2.4 · protobufjs/protobuf.js · GitHubPatch
-
https://github.com/protobufjs/protobuf.js/pull/1899
fix: do not let setProperty change the prototype by alexander-fenster · Pull Request #1899 · protobufjs/protobuf.js · GitHubPatch;Vendor Advisory
-
https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
fix: do not let setProperty change the prototype (#1899) · protobufjs/protobuf.js@e66379f · GitHubPatch
-
https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
New Vulnerability in protobufjs: Prototype Pollution - CVE-2023-36665Exploit;Patch;Third Party Advisory
-
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
Release protobufjs: v7.2.4 · protobufjs/protobuf.js · GitHubRelease Notes
Jump to