You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead.
Vulnerable Library - @weareinreach/app-0.100.0.tgz
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2023-36665
Vulnerable Library - protobufjs-7.2.3.tgz
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Found in base branch: dev
Vulnerability Details
protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead.
Publish Date: 2023-07-05
URL: CVE-2023-36665
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
Release Date: 2023-07-05
Fix Resolution: protobufjs - 7.2.4
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: