How we found a Prototype Pollution in protobuf.js

How we found a Prototype Pollution in protobuf.js

Our colleagues Peter Samarin, Norbert Schneider and Fabian Meumertzheim recently built a new bug detector enabling our JavaScript fuzzing engine Jazzer.js to identify Prototype Pollution.

This work is now bearing its first fruits: As part of our ongoing collaboration with Google’s OSS-Fuzz, Jazzer.js recently uncovered a new Prototype Pollution vulnerability in protobuf.js (CVE-2023-36665).

This finding puts affected applications at risk of remote code execution and denial of service attacks.

In this demo, Peter will go over:
How Prototype Pollution works
How CVE-2023-36665 happened
How Jazzer.js was able to find it
The real-world implications of CVE-2023-36665 in protobuf.js
How to mitigate and remediate CVE-2023-36665
A step-by-step walkthrough of the vulnerability discovery process
A Q&A session to wrap things up

Access the Full Recording here:
https://www.code-intelligence.com/webinar/how-we-found-a-prototype-pollution-in-protobufjs