34selen

[PHP] mergeFromString() allows negative length varints, infinite loop / worker exhaustion DoS

3

## Summary The PHP Protobuf runtime (php/src/Google/Protobuf/Internal/*) accepts a crafted length-delimited field whose declared length varint becomes a negative integer after sign extension. That negative length is passed directly into...

## Summary (CWE-1321 Prototype Pollution) convict(schema) becomes globally polluted when the schema object contains a constructor.prototype.* path. During schema normalization/default propagation, the code walks into built-in properties and ends up...