Intel

AIKIDO-2026-400467

geobuf is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

45

Medium Risk

This Affects:

JSgeobuf
1.0.0 - 3.0.2
Fixed in 4.0.0
Are you affected? Scan for Free

TL;DR

The geobuf decoder builds feature properties objects in readProps by assigning decoded key/value pairs directly onto a plain object. A specially crafted geobuf message can carry a property key such as __proto__, constructor, or prototype, so decoding writes onto the object prototype instead of the properties object. Before the fix this pollutes Object.prototype across the application, enabling property injection and denial of service. The fix drops those unsafe keys while decoding.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application decodes untrusted geobuf messages.

Background info

geobuf is vulnerable to Prototype Pollution in versions 1.0.0 - 3.0.2.

How to fix this

Upgrade the geobuf library to the patch version.