CVE-2023-36665
Description
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Protobuf.js before 7.2.5 allows prototype pollution via user-controlled messages, enabling attackers to overwrite Object.prototype properties.
Vulnerability
Overview
CVE-2023-36665 is a prototype pollution vulnerability in protobuf.js, a JavaScript implementation of Protocol Buffers. The flaw affects versions 6.10.0 through 7.x prior to 7.2.5, and is distinct from an earlier issue (CVE-2022-25878). An attacker can pollute the prototype of Object.prototype by injecting properties through user-controlled protobuf messages, which can lead to unexpected behavior in all objects [1][2].
Exploitation
Vectors
The vulnerability can be triggered via multiple functions: (1) using parse() to parse protobuf messages on the fly, (2) loading .proto files with load() or loadSync(), or (3) providing untrusted input to ReflectionObject.setParsedOption() or util.setProperty(). These functions do not properly sanitize input, allowing an attacker to set arbitrary properties on the global prototype [2][3].
Impact
Successful exploitation enables an attacker to add or overwrite properties on Object.prototype, making them available on all JavaScript objects. This can lead to remote code execution, denial of service, or other security breaches depending on how the application uses the polluted properties [3].
Mitigation
The issue was fixed in version 7.2.5, released on June 27, 2023. Users should upgrade to this version or later. No workarounds have been published [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufjsnpm | >= 7.0.0, < 7.2.5 | 7.2.5 |
protobufjsnpm | >= 6.10.0, < 6.11.4 | 6.11.4 |
Affected products
5- protobuf.js/protobuf.jsdescription
- osv-coords4 versionspkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:npm/protobufjs
< 8.17.3-r2+ 3 more
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: < 8.17.3-r2
- (no CPE)range: >= 7.0.0, < 7.2.5
Patches
1e66379f451b0fix: do not let setProperty change the prototype (#1899)
2 files changed · +10 −1
src/util.js+1 −1 modified@@ -176,7 +176,7 @@ util.decorateEnum = function decorateEnum(object) { util.setProperty = function setProperty(dst, path, value) { function setProp(dst, path, value) { var part = path.shift(); - if (part === "__proto__") { + if (part === "__proto__" || part === "prototype") { return dst; } if (path.length > 0) {
tests/api_util.js+9 −0 modified@@ -95,6 +95,15 @@ tape.test("util", function(test) { util.setProperty(o, 'prop.subprop', { subsub2: 7}); test.same(o, {prop1: [5, 6], prop: {subprop: [{subsub: [5,6]}, {subsub2: 7}]}}, "should convert nested properties to array"); + + util.setProperty({}, "__proto__.test", "value"); + test.is({}.test, undefined); + + util.setProperty({}, "prototype.test", "value"); + test.is({}.test, undefined); + + util.setProperty({}, "constructor.prototype.test", "value"); + test.is({}.test, undefined); test.end(); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-h755-8qp9-cq85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36665ghsaADVISORY
- github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0dghsaWEB
- github.com/protobufjs/protobuf.js/commits/release-6.11.4ghsaWEB
- github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4ghsaWEB
- github.com/protobufjs/protobuf.js/issues/1918ghsaWEB
- github.com/protobufjs/protobuf.js/pull/1899ghsaWEB
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4ghsaWEB
- security.netapp.com/advisory/ntap-20240628-0006ghsaWEB
- www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665ghsaWEB
- security.netapp.com/advisory/ntap-20240628-0006/mitre
News mentions
0No linked articles in our index yet.