Description
Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **< 5.0.3 >= 6.0.0, < 6.8.6** Patched version(s): **5.0.3 6.8.6**
References
Related Issues
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
- IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on April 11, 2023