CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4

[aramikuto]

Protobufjs was updated to version 7.2.4 in https://github.com/googleapis/gax-nodejs/issues/1466 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.

Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?

├─ firebase-tools@npm:13.7.2 (via npm:^13.7.2)
│  └─ @google-cloud/pubsub@npm:3.7.5 (via npm:^3.0.1)
│     └─ google-gax@npm:3.6.1 (via npm:^3.6.1)
│        ├─ @grpc/grpc-js@npm:1.8.21 (via npm:~1.8.0)
│        │  └─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ proto3-json-serializer@npm:1.1.1 (via npm:^1.0.0)
│        │  └─ protobufjs@npm:7.2.6 (via npm:^7.0.0)
│        └─ protobufjs@npm:7.2.4 (via npm:7.2.4)

[scaryguy]

Same issue for @google-cloud/logging https://github.com/googleapis/nodejs-logging/issues/1496

[AlvesJorge]

This causes a critical vulnerability in @google-cloud/monitoring

@google-cloud/monitoring@4.0.0
  └─┬ google-gax@4.3.2
    ├─┬ @grpc/proto-loader@0.7.3
    │ └── protobufjs@7.1.2

[kvargha]

I'm experiencing this issue for @google-cloud/secret-manager and @google-cloud/datastore.

[leahecole]

I think this is fixed in #1596

[AlvesJorge]

Hi @leahecole The requirement @grpc/proto-loader itself requires protobufjs@7.1.2 which is still affected by this critical vulnerability. You specify "@grpc/proto-loader": "^0.7.0" and this version still comes with the protobufjs vulnerability. Latest published version of @grpc/proto-loader is 0.7.13, which already has this fixed. Please re-open this issue 🙏

[AlvesJorge]

Opened a PR to fix this, awaiting CODEOWNERS review