protobuf.js icon indicating copy to clipboard operation
protobuf.js copied to clipboard

Published 20 hours ago verified publisher icon protobufjs

Prototype Pollution vulnerability

Open cupidchan opened this issue 1 year ago • 3 comments

protobuf.js version: 7.0.0 - 7.2.4

Just including the package to trigger the vulnerability warning. This is related to https://github.com/advisories/GHSA-h755-8qp9-cq85 
 functions %>  npm audit fix

up to date, audited 1215 packages in 1s

174 packages are looking for funding
  run `npm fund` for details

# npm audit report

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix`
node_modules/@google-cloud/pubsub/node_modules/protobufjs
  google-gax  2.2.1-pre - 2.2.1-pre.2 || 2.28.2-alpha.1 - 2.28.4-alpha.1 || 3.1.4 - 4.0.3
  Depends on vulnerable versions of protobufjs
  node_modules/@google-cloud/pubsub/node_modules/google-gax
    @google-cloud/pubsub  2.11.1-pre || 3.1.1 - 3.7.5
    Depends on vulnerable versions of google-gax
    node_modules/@google-cloud/pubsub

3 critical severity vulnerabilities

To address all issues, run:
  npm audit fix
1 functions %>

cupidchan avatar Apr 18 '24 14:04 cupidchan

Any news here?

mgm793 avatar Apr 22 '24 09:04 mgm793

Bumping here

ItayElgazar avatar Apr 25 '24 09:04 ItayElgazar

same quesn, how can we resolve this?

ByteCommitter avatar Jun 07 '24 07:06 ByteCommitter

Bump, this vulnerability has been active for months now.

joshnies avatar Jul 03 '24 14:07 joshnies

Bump again

DaveA-W avatar Jul 15 '24 02:07 DaveA-W

The issue is patched since 6.11.4 respectively 7.2.5, as per CVE-2023-36665.

dcodeIO avatar Jul 16 '24 13:07 dcodeIO