Mastodawn

Protobuf.js Vulnerabilities Expose Node.js Apps to Code Execution, DoS

A single malicious protobuf schema could be all it takes to trigger crashes, corrupt runtimes, or even execute code in vulnerable Node.js apps, warns Cyera security researcher Assaf Morag. Six newly identified vulnerabilities in protobuf.js, known as Proto6, carry high severity scores and could put your app at risk.

https://osintsights.com/protobufjs-vulnerabilities-expose-nodejs-apps-to-code-execution-dos?utm_source=mastodon&utm_medium=social

#Nodejs #Protobufjs #CodeExecution #DenialOfService #EmergingThreats

Protobuf.js Vulnerabilities Expose Node.js Apps to Code Execution, DoS

Learn about Protobuf.js vulnerabilities exposing Node.js apps to code execution and DoS attacks, and take immediate action to secure your applications now with expert guidance.

OSINTSights

Code Intelligence Jul 11, 2023

We found a prototype pollution vulnerability in protobufjs: CVE-2023-36665 🚨
Snyk CVSS Score: 8.6 (high)

Affected applications are at risk of remote code execution and denial of service attacks. The vulnerability was found by our open-source JavaScript fuzzer Jazzer.js, running in Google's OSS-Fuzz.

Mitigation:
Versions from 6.10.0 to 7.2.4 are affected and hence vulnerable to prototype pollution. The maintainer issued an update that fixed this vulnerability on April 18, 2023. We strongly recommend that impacted users upgrade to newer versions that include the fixes, i.e., version 7.2.4 and above.

Hats off to our colleague Peter for writing the bug detector and disclosing the vulnerability to the project maintainer 🙌

More info in our blog: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665

#javascript #jazzerjs #cve #opensource #protobufjs

New Vulnerability in protobufjs: Prototype Pollution - CVE-2023-36665

New Prototype Pollution Vulnerability exposes protobufjs to Remote Code Execution (CVE-2023-36665). Mitigation and Remediation.