Our colleagues Peter Samarin, Norbert Schneider and Fabian Meumertzheim recently built a new bug detector enabling our JavaScript fuzzing engine Jazzer.js to identify Prototype Pollution. This work is now bearing its first fruits: As part of our ongoing collaboration with Google’s OSS-Fuzz, Jazzer.js recently uncovered a new Prototype Pollution vulnerability in protobuf.js (CVE-2023-36665). 

This finding puts affected applications at risk of remote code execution and denial of service attacks.

In this demo, Peter will go over:

• How Prototype Pollution works

• How CVE-2023-36665 happened

• How Jazzer.js was able to find it

• The real-world implications of CVE-2023-36665 in protobuf.js

• How to mitigate and remediate CVE-2023-36665

• A step-by-step walkthrough of the vulnerability discovery process

• A Q&A session to wrap things up