Prototype Pollution
Description
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Protobuf.js before 6.11.3 allows prototype pollution via untrusted input to setProperty or .proto parsing, enabling property injection on Object.prototype.
Vulnerability
Protobuf.js versions before 6.11.3 are vulnerable to Prototype Pollution [1][2]. The vulnerability exists in the util.setProperty and ReflectionObject.setParsedOption functions, as well as during parsing or loading of .proto files [2]. An attacker can add or modify properties of Object.prototype by providing crafted input to these functions or by supplying a malicious .proto file [2].
Exploitation
An attacker needs to supply untrusted user input to util.setProperty or ReflectionObject.setParsedOption, or to parse/load a specially crafted .proto file [2]. No authentication or special network position is required if the application exposes these functions to user input. The attacker can inject properties like __proto__ or constructor.prototype to pollute the prototype chain [4].
Impact
Successful exploitation allows the attacker to add or modify properties on Object.prototype, leading to potential denial of service, property injection, or in some contexts, arbitrary code execution depending on how the polluted properties are used by the application [2]. The impact is limited to the JavaScript runtime environment where protobuf.js is used.
Mitigation
The fix was released in protobuf.js version 6.11.3 [1][2]. The commit b5f1391dff5515894830a6570e6d73f5511b2e8f addresses the issue by preventing setProperty from modifying the prototype [4]. Users should upgrade to version 6.11.3 or later. No workaround is available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufjsnpm | >= 6.11.0, < 6.11.3 | 6.11.3 |
protobufjsnpm | >= 6.10.0, < 6.10.3 | 6.10.3 |
Affected products
2- protobufjs/protobufjsdescription
Patches
1b5f1391dff55fix: do not let setProperty change the prototype (#1731)
1 file changed · +3 −0
src/util.js+3 −0 modified@@ -176,6 +176,9 @@ util.decorateEnum = function decorateEnum(object) { util.setProperty = function setProperty(dst, path, value) { function setProp(dst, path, value) { var part = path.shift(); + if (part === "__proto__") { + return dst; + } if (path.length > 0) { dst[part] = setProp(dst[part] || {}, path, value); } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-g954-5hwp-pp24ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25878ghsaADVISORY
- github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197ghsax_refsource_MISCWEB
- github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8fghsax_refsource_MISCWEB
- github.com/protobufjs/protobuf.js/pull/1731ghsax_refsource_MISCWEB
- github.com/protobufjs/protobuf.js/pull/1735ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.