logo

Database

Prototype Pollution In protobufjs

Description

Prototype Pollution in protobufjs The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

    by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions

    by parsing/loading .proto files

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-258782. NVD-2022-258783. OSV-2022-258784. GCVE-2022-25878

References

1. https://github.com/protobufjs/protobuf.js/pull/17312. https://github.com/protobufjs/protobuf.js/pull/17353. https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f4. https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.