![How we found a Prototype Pollution in Protobufjs (4) How we found a Prototype Pollution in Protobufjs (4)](https://www.code-intelligence.com/hubfs/How%20we%20found%20a%20Prototype%20Pollution%20in%20Protobufjs%20%20(4).png)
How we found a Prototype Pollution in protobuf.js
CVE-2023-36665
Our colleagues Peter Samarin, Norbert Schneider and Fabian Meumertzheim recently built a new bug detector enabling our JavaScript fuzzing engine Jazzer.js to identify Prototype Pollution. This work is now bearing its first fruits: As part of our ongoing collaboration with Google’s OSS-Fuzz, Jazzer.js recently uncovered a new Prototype Pollution vulnerability in protobuf.js (CVE-2023-36665).
This finding puts affected applications at risk of remote code execution and denial of service attacks.
In this demo, Peter will go over:
-
How Prototype Pollution works
-
How CVE-2023-36665 happened
-
How Jazzer.js was able to find it
-
The real-world implications of CVE-2023-36665 in protobuf.js
-
How to mitigate and remediate CVE-2023-36665
-
A step-by-step walkthrough of the vulnerability discovery process
-
A Q&A session to wrap things up
![Peter Samarin Peter Samarin](https://www.code-intelligence.com/hubfs/AI%20Whitepaper%20-%20Linkedin%20-%201200x1200.png)
About the Speaker
Peter Samarin is a software developer and fuzzing expert at Code Intelligence.