Description
The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.
This vulnerability can occur in multiple ways:
- by providing untrusted user input to util.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.10.0, < 6.10.3 >= 6.11.0, < 6.11.3** Patched version(s): **6.10.3 6.11.3**
References
Related Issues
- thlorenz browserify-shim vulnerable to prototype pollution (GHSA-cfgr-75jx-h88g) - CVE-2022-37623
- steal vulnerable to Prototype Pollution via alias variable - CVE-2022-37265
- Prototype Pollution in Dexie - CVE-2022-21189
- Prototype Pollution in mout - CVE-2022-21213
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on November 29, 2023