Nodejs protobufjs, Prototype Pollution, CVE-2022-25878 (Medium)

Listen to this Post

How the CVE Works

The vulnerability in `protobufjs` (versions prior to 6.11.3) stems from the way generated message constructors handle enumerable properties from a user-supplied object. When a new message instance is created, the constructor iterates over and copies all enumerable properties directly from a provided `properties` object onto the new instance. This copying process does not filter the `__proto__` key. Consequently, if an attacker can control the `properties` object (for example, by injecting a crafted JSON payload containing an own enumerable `__proto__` property), assignment to `this[‘__proto__’]` will traverse the prototype chain and modify the `Object.prototype` of all objects in the application. This prototype pollution attack can allow the attacker to add, modify, or overwrite global properties and methods, leading to severe consequences like Denial of Service, arbitrary JavaScript execution, or logic bypasses.

DailyCVE Form

Platform: `Node.js / npm`
Version: `<=6.11.3` Vulnerability : `Prototype Pollution` Severity: `Medium` Date: `2026-05-12`

Prediction: `Outdated / No Patch`

What Undercode Say

Analytics

  • Exploitability: Medium (requires untrusted JSON input)
  • Impact: Cross‑application prototype pollution
  • Fixed in: Version 6.11.4 or higher

Bash Commands & Code

Check current version of protobufjs
npm list protobufjs
Update to a safe version
npm install protobufjs@^6.11.4
// Vulnerable pattern
const malicious = { <strong>proto</strong>: { polluted: true } };
const msg = new protobuf.Message(malicious);

Exploit

const protobuf = require('protobufjs');
const payload = JSON.parse('{"<strong>proto</strong>": {"isAdmin": true}}');
const maliciousMessage = new protobuf.Message(payload);
console.log({}.isAdmin); // true

Protection from this CVE

1. Update immediately to `[email protected]` or higher.

  1. Sanitize input – reject `__proto__` keys when parsing JSON.

3. Freeze prototypes – `Object.freeze(Object.prototype)`.

4. Use `Object.create(null)` for untrusted data.

Impact

  • Remote Code Execution: Polluted properties can flow into dangerous sinks like `eval()` or child_process.exec().
  • Denial of Service: Overwriting critical global methods breaks application logic.
  • Authentication Bypass: Adding properties like `isAdmin` to `Object.prototype` can grant unintended privileges.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top