You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
protobufjs Prototype Pollution vulnerability
Critical severity GitHub Reviewed Published on Jul 5 to the GitHub Advisory Database • Updated last month Vulnerability details
Dependabot alerts
1
Package
protobufjs ( npm
)
Affected versions
= 7.0.0, < 7.2.4
= 6.10.0, < 6.11.4
Patched versions
7.2.4
6.11.4
Description
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than GHSA-g954-5hwp-pp24. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype. = ...; whereas GHSA-g954-5hwp-pp24 was about Object.proto. = ...; instead.
protobufjs Prototype Pollution vulnerability
Critical severity GitHub Reviewed Published on Jul 5 to the GitHub Advisory Database • Updated last month
Vulnerability details
Dependabot alerts
1
Package
protobufjs (
npm
)
Affected versions
References
https://nvd.nist.gov/vuln/detail/CVE-2023-36665
protobufjs/protobuf.js#1899
protobufjs/protobuf.js@e66379f
protobufjs/protobuf.js@protobufjs-v7.2.3...protobufjs-v7.2.4
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
https://github.com/protobufjs/protobuf.js/commits/release-6.11.4
Patch it manually here:
protobufjs/protobuf.js@e66379f
The text was updated successfully, but these errors were encountered: