Listen to this Post
How the CVE Works
The vulnerability in `protobufjs` (versions prior to 6.11.3) stems from the way generated message constructors handle enumerable properties from a user-supplied object. When a new message instance is created, the constructor iterates over and copies all enumerable properties directly from a provided `properties` object onto the new instance. This copying process does not filter the `__proto__` key. Consequently, if an attacker can control the `properties` object (for example, by injecting a crafted JSON payload containing an own enumerable `__proto__` property), assignment to `this[‘__proto__’]` will traverse the prototype chain and modify the `Object.prototype` of all objects in the application. This prototype pollution attack can allow the attacker to add, modify, or overwrite global properties and methods, leading to severe consequences like Denial of Service, arbitrary JavaScript execution, or logic bypasses.
DailyCVE Form
Platform: `Node.js / npm`
Version: `<=6.11.3`
Vulnerability : `Prototype Pollution`
Severity: `Medium`
Date: `2026-05-12`
Prediction: `Outdated / No Patch`
What Undercode Say
Analytics
- Exploitability: Medium (requires untrusted JSON input)
- Impact: Cross‑application prototype pollution
- Fixed in: Version 6.11.4 or higher
Bash Commands & Code
Check current version of protobufjs npm list protobufjs Update to a safe version npm install protobufjs@^6.11.4
// Vulnerable pattern
const malicious = { <strong>proto</strong>: { polluted: true } };
const msg = new protobuf.Message(malicious);
Exploit
const protobuf = require('protobufjs');
const payload = JSON.parse('{"<strong>proto</strong>": {"isAdmin": true}}');
const maliciousMessage = new protobuf.Message(payload);
console.log({}.isAdmin); // true
Protection from this CVE
1. Update immediately to `[email protected]` or higher.
- Sanitize input – reject `__proto__` keys when parsing JSON.
3. Freeze prototypes – `Object.freeze(Object.prototype)`.
4. Use `Object.create(null)` for untrusted data.
Impact
- Remote Code Execution: Polluted properties can flow into dangerous sinks like `eval()` or
child_process.exec(). - Denial of Service: Overwriting critical global methods breaks application logic.
- Authentication Bypass: Adding properties like `isAdmin` to `Object.prototype` can grant unintended privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

