Home/News/Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS
The Hacker News2 min read

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Six vulnerabilities in the protobuf.js library, a JavaScript and TypeScript implementation of Protocol Buffers, were disclosed this week by cybersecurity researchers. These vulnerabilities, if exploited, could allow attackers to achieve remote code execution (RCE) and denial-of-service (DoS) attacks on Node.js applications. The researchers detailed that a single malicious protobuf schema, descriptor, or crafted payload could be sufficient to trigger these exploits in vulnerable environments. The affected versions of protobuf.js range from v1.3.0 to v1.4.0. The vulnerabilities include issues such as prototype pollution, unsafe deserialization, and improper input validation, which can be chained together to achieve the full impact. For instance, one specific vulnerability, CVE-2024-37120, allows for arbitrary code execution by manipulating the parsing of nested messages. Another, CVE-2024-37119, enables DoS by causing excessive memory consumption during deserialization. The researchers provided proof-of-concept exploits for several of these flaws, demonstrating their practical applicability. They have urged developers to update their protobuf.js dependencies to the patched version, v1.4.1, which addresses all six identified security weaknesses. The disclosure follows a standard responsible disclosure process, with the maintainers of protobuf.js having been notified and provided with ample time to develop and release fixes before public announcement.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next