Description
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.5 >= 6.10.0, < 6.11.4** Patched version(s): **7.2.5 6.11.4**
References
- GHSA-h755-8qp9-cq85
- www.code-intelligence.com
- security.netapp.com
- CVE-2023-36665
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- tough-cookie Prototype Pollution vulnerability - CVE-2023-26136
- plotly.js prototype pollution vulnerability - CVE-2023-46308
- uPlot Prototype Pollution vulnerability - CVE-2024-21489
- Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - CVE-2021-4279
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on June 28, 2024