Skip to content

Prototype Pollution Vulnerability CVE-2023-36665

High
narayan954 published GHSA-w79q-25wh-7jxv Jul 10, 2023

Package

firebase

Affected versions

6.10.0< affected versions <7.2.4

Patched versions

7.2.4

Description

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
Prototype pollution vulnerability introduced through firebase@9.18.0 , severity = High
Remediation: using a newer protobufjs than protobufjs@7.2.2 and protobufjs@6.11.3

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.
run: npm ls protobufjs , upgrading the protobufjs version through package-lock.json will eliminate the problem i guess

Impact

What kind of vulnerability is it? Who is impacted?
Affected versions of this package are vulnerable to Prototype Pollution. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions.

Severity

High

CVE ID

CVE-2023-36665

Weaknesses

Credits