CVE-2023-36665 (Critical) detected in protobufjs-6.11.2.tgz

[mend-bolt-for-github[bot]]

CVE-2023-36665 - Critical Severity Vulnerability

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/protobufjs/package.json

Dependency Hierarchy: - @zuri/utilities-1.0.0.tgz (Root Library) - centrifuge-2.8.3.tgz - :x: **protobufjs-6.11.2.tgz** (Vulnerable Library)

Found in HEAD commit: b144247b62e851190fe052db385e082185524e69

Found in base branch: dev

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36665

Release Date: 2023-07-05

Fix Resolution: protobufjs - 6.11.4,7.2.5

---

Step up your Open Source Security Game with Mend here