CVE-2023-36665: 
JavaScript vulnerability analysis and mitigation

CVE-2023-36665 affects protobuf.js versions 6.10.0 through 7.x before 7.2.5. This vulnerability allows Prototype Pollution, which is distinct from CVE-2022-25878. The issue was discovered in July 2023 and affects the protobuf.js library, a popular JavaScript implementation of Protocol Buffers (NVD).

The vulnerability allows an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions through multiple attack vectors: (1) using the parse function to parse protobuf messages on the fly, (2) loading .proto files via load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. The vulnerability has received a CVSS v3.1 Base Score of 9.8 CRITICAL (Code Intelligence).

Successful exploitation of this vulnerability can lead to several severe consequences including remote code execution (RCE), denial of service (DoS) by overriding built-in functions, authentication/validation bypass, privilege escalation, and cross-site scripting (XSS). The vulnerability affects all objects created after the prototype pollution occurs (Code Intelligence).

The vulnerability has been fixed in version 7.2.5. Users are strongly recommended to upgrade to this version or later to address the security issue. The fix prevents the setProperty function from modifying the prototype by adding checks for 'proto' and 'prototype' attributes (GitHub Patch).