CVEFinder.io

CVE-2023-36665

⛔ critical
🔍 Scan for this CVE
Summary

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions Ref

Description

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

CVSS Score
9.8
Critical
EPSS Score
1.7
Exploit Probability
Published Date
2023-07-05
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.4% of all 321,566 vulnerabilities in our database.

#30,777
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jul 8, 2024
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2024-11-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-1321

📦 Affected Products 1

Vendor Product Status Affected Versions
protobufjs_project protobufjs Affected
≥ 6.10.0 < 7.2.5

🔗 References 6

https://github.com/protobufjs/protobuf.js/commit/e66...
Patch
https://github.com/protobufjs/protobuf.js/compare/pr...
Patch
https://github.com/protobufjs/protobuf.js/pull/1899
Patch Vendor Advisory
https://github.com/protobufjs/protobuf.js/releases/t...
Release Notes
https://security.netapp.com/advisory/ntap-20240628-0...
https://www.code-intelligence.com/blog/cve-protobufj...
Exploit Patch Third Party Advisory

🔗 Related CVEs 5

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44290 ⚠️ high 7.5 0.1 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed ce... 2026-05-13
CVE-2026-44291 ⚠️ high 8.1 0.1 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain... 2026-05-13
CVE-2026-44288 🔶 medium 5.3 0.0 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a... 2026-05-13
CVE-2022-25878 ⚠️ high 8.2 0.4 The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify pro... 2022-05-27
CVE-2018-3738 🔶 medium 5.5 0.2 protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files. 2018-06-07
These CVEs affect the same products