CVE-2022-25878

Prototype Pollution in protobufjs

Description

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Versions

protobufjs >= 6.11.0 < 6.11.3; protobufjs >= 6.10.0 < 6.10.3

Severity

High

Ecosystem

JavaScript

Publish Date

May 27, 2022

Modified Date

January 14, 2025