CVE-2022-25878

HIGH
Published May 27, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published May 27, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1321

Affected Products 1

VendorProductVersionRange
protobufjs_projectprotobufjs* <6.11.3

References 5

  • github.com https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197
    Broken Link
  • github.com https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
    PatchThird Party Advisory
  • github.com https://github.com/protobufjs/protobuf.js/pull/1731
    PatchThird Party Advisory
  • snyk.io https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
    ExploitPatchThird Party Advisory
  • snyk.io https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
    ExploitPatchThird Party Advisory

Remediation

  • github.com https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
    PatchThird Party Advisory
  • github.com https://github.com/protobufjs/protobuf.js/pull/1731
    PatchThird Party Advisory
  • snyk.io https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
    ExploitPatchThird Party Advisory
  • snyk.io https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
    ExploitPatchThird Party Advisory