Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-g954-5hwp-pp24: Prototype Pollution in protobufjs

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.

This vulnerability can occur in multiple ways:

  1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
  2. by parsing/loading .proto files
ghsa
Open in Source
#vulnerability#nodejs#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-25878

Prototype Pollution in protobufjs

High severity GitHub Reviewed Published May 28, 2022 • Updated Jun 2, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

npm protobufjs (npm )

Affected versions

< 6.11.3

Description

Related news

CVE-2022-25878: fix: do not let setProperty change the prototype by alexander-fenster · Pull Request #1731 · protobufjs/protobuf.js

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

ghsa: Latest News

GHSA-jcxm-7wvp-g6p5: Modified package published to npm, containing malware that exfiltrates private key material
ghsa