CVE-2022-25878

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 6.11.3

Description The issue concerns a Prototype Pollution vulnerability that can allow an attacker to add or modify properties of the Object.prototype. This can occur in two main ways: by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions, and by parsing or loading .proto files.

Recommendations For versions prior to 6.11.3, update to version 6.11.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of util.setProperty and ReflectionObject.setParsedOption functions to trusted input only, and avoid parsing or loading untrusted .proto files until the update is applied.