Prototype Pollution

Vulnerability

Overview

The gRPC Node.js packages (grpc before 1.24.4 and @grpc/grpc-js before 1.1.8) are vulnerable to Prototype Pollution through the loadPackageDefinition function [1][2][3]. This security flaw arises because the function does not properly sanitize or validate input when processing package definitions, allowing an attacker to pollute the prototype of base objects (Object.prototype) by injecting properties with malicious keys, such as __proto__ or constructor.prototype [3].

Attack

Vector and Prerequisites

Exploitation of this vulnerability requires the attacker to supply a crafted input to the loadPackageDefinition method, typically via a malicious .proto file or server reflection response that contains a specially named package or service [1][2][3]. No authentication is needed if the application processes untrusted gRPC definitions. The attack is performed on the client or server side whenever loadPackageDefinition is called with attacker-controlled data, making it accessible over the network if the gRPC endpoint accepts external definitions [3].

Impact

Successful Prototype Pollution can lead to remote code execution (RCE) by leveraging the polluted prototype to modify properties of objects across the application, ultimately altering control flow in unexpected ways [3]. The attack can bypass property checks and inject arbitrary properties into all objects inheriting from the polluted prototype, potentially leading to denial of service, privilege escalation, or other security breaches depending on the application context [3].

Mitigation

Users should upgrade to grpc version 1.24.4 or later and @grpc/grpc-js version 1.1.8 or later, which include fixes that prevent prototype pollution by sanitizing keys in loadPackageDefinition [1][2][4]. No workarounds are known; applying the patches is the recommended mitigation. The vulnerability is listed in the CVE database as CVE-2020-7768 [3].