Critical security vulnerability CVE-2023-36665 needs to be corrected by upgrading protobufjs library to 7.2.5 or higher within gax library dependency in package.json file.

[rgarmas89aws]

(feywind edited for brevity)

Environment details

• OS: node18-Alpine
• Node.js version: 18
• npm version: 10.7.0
• @google-cloud/pubsub version: 4.3.3

Steps to reproduce

See vulnerability details in: https://github.com/advisories/GHSA-h755-8qp9-cq85

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype. = ...; whereas CVE-2022-25878 was about Object.proto. = ...; instead.

Attack scenario An external attacker for exposed endpoints.

[feywind]

Pub/Sub includes gax 4.0.3, which already pulls in protobufjs 7.2.4 (probably by semver). Renovate isn't issuing PRs to upgrade to newer gax versions, and there's a newer one that explicitly pulls in 7.2.4, so that'd be good to have.

Edit: Oh, I misread. 7.2.4 is no good either.