An attacker can use JavaScript prototype pollution in the Mafintosh protocol-buffers-schema library version 3.6.0 to modify properties on Object.prototype, as identified in the vulnerability entry. Such manipulation can alter application behavior, undermine authentication or authorization checks, trigger denial‑of‑service states, or in some contexts enable the execution of arbitrary code by the vulnerable host. The impact therefore includes potential code execution in addition to integrity compromise depending on how the parsed data is used in the target application.

The affected product is Mafintosh’s protocol‑buffers‑schema parser, specifically version 3.6.0. Any Node.js application that imports or depends on this version of the package is at risk. The vulnerability is tied solely to this single version; newer releases include fixes.

The CVSS score of 6.5 indicates a moderate severity. An EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so the current exploitation probability remains low. The vulnerability is typically exploitable remotely: an attacker can supply a crafted protocol buffer message to the vulnerable parser, thereby influencing the prototype chain before other application logic processes the data. Because prototype pollution can alter fundamental language behavior, the potential impact can be significant if the corrupted objects are later used for privileged operations.