Description
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.5 >= 6.10.0, < 6.11.4** Patched version(s): **7.2.5 6.11.4**
References
- GHSA-h755-8qp9-cq85
- www.code-intelligence.com
- security.netapp.com
- CVE-2023-36665
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- plotly.js prototype pollution vulnerability - CVE-2023-46308
- tough-cookie Prototype Pollution vulnerability - CVE-2023-26136
- njwt Prototype Pollution vulnerability - CVE-2024-34273
- vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) 2 - CVE-2024-52809
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on June 28, 2024