Skip to content
How we found a Prototype Pollution in Protobufjs  (4)

How we found a Prototype Pollution in protobuf.js


Our colleagues Peter Samarin, Norbert Schneider and Fabian Meumertzheim recently built a new bug detector enabling our JavaScript fuzzing engine Jazzer.js to identify Prototype Pollution. This work is now bearing its first fruits: As part of our ongoing collaboration with Google’s OSS-Fuzz, Jazzer.js recently uncovered a new Prototype Pollution vulnerability in protobuf.js (CVE-2023-36665). 
This finding puts affected applications at risk of remote code execution and denial of service attacks.
In this demo, Peter will go over:
  • How Prototype Pollution works
  • How CVE-2023-36665 happened
  • How Jazzer.js was able to find it
  • The real-world implications of CVE-2023-36665 in protobuf.js
  • How to mitigate and remediate CVE-2023-36665
  • A step-by-step walkthrough of the vulnerability discovery process
  • A Q&A session to wrap things up
Peter Samarin

About the Speaker

Peter Samarin is a software developer and fuzzing expert at Code Intelligence.

Access Recording