Description
Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **< 5.0.3 >= 6.0.0, < 6.8.6** Patched version(s): **5.0.3 6.8.6**
References
Related Issues
- Regular Expression Denial of Service in highcharts (GHSA-xmc8-cjfr-phx3) - CVE-2018-20801
- Open Chinese Convert subject to Denial of Service via Out-of-bounds Read - CVE-2018-16982
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) - CVE-2023-50728
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) 2 - CVE-2023-50728
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on April 11, 2023