Description
The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.
This vulnerability can occur in multiple ways:
- by providing untrusted user input to util.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.10.0, < 6.10.3 >= 6.11.0, < 6.11.3** Patched version(s): **6.10.3 6.11.3**
References
Related Issues
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- steal vulnerable to Prototype Pollution via requestedVersion variable - CVE-2022-37257
- steal vulnerable to Prototype Pollution via key variable in babel.js - CVE-2022-37266
- steal vulnerable to Prototype Pollution via optionName variable - CVE-2022-37264
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on November 29, 2023