Description
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.5 >= 6.10.0, < 6.11.4** Patched version(s): **7.2.5 6.11.4**
References
- GHSA-h755-8qp9-cq85
- www.code-intelligence.com
- security.netapp.com
- CVE-2023-36665
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Cross Site Scripting vulnerability in store2 - CVE-2024-57556
- Bootstrap Cross-site Scripting vulnerability - CVE-2016-10735
- Prototype Pollution in protobufjs - CVE-2022-25878
- chromedriver Command Injection vulnerability - CVE-2023-26156
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on June 28, 2024