Peter Samarin

**Name of the Vulnerable Software and Affected Versions** Cronvel Tree-kit versions 0.7.4 and before **Description** A Prototype Pollution issue in Cronvel Tree-kit allows a remote attacker to execute arbitrary code via the `extend` function. This issue is related to uncontrolled modification of object prototype attributes. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Cronvel Tree-kit versions 0.7.4 and before, consider disabling the `extend` function as a temporary workaround until a patch is available. Restrict access to the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** protobuf.js versions 6.10.0 through 7.2.4 **Description** The issue allows Prototype Pollution, where a user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve using the `parse` function to parse protobuf messages, loading .proto files by using `load` or `loadSync` functions, or providing untrusted input to the `ReflectionObject.setParsedOption` and `util.setProperty` functions. **Recommendations** For versions 6.10.0 through 7.2.4, update to version 7.2.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `parse`, `load`, and `loadSync` functions, as well as the `ReflectionObject.setParsedOption` and `util.setProperty` functions, until a patch is available. Avoid providing untrusted input to these functions to minimize the risk of exploitation.