CVE-2023-36665

Name of the Vulnerable Software and Affected Versions protobuf.js versions 6.10.0 through 7.2.4

Description The issue allows Prototype Pollution, where a user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve using the parse function to parse protobuf messages, loading .proto files by using load or loadSync functions, or providing untrusted input to the ReflectionObject.setParsedOption and util.setProperty functions.

Recommendations For versions 6.10.0 through 7.2.4, update to version 7.2.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the parse, load, and loadSync functions, as well as the ReflectionObject.setParsedOption and util.setProperty functions, until a patch is available. Avoid providing untrusted input to these functions to minimize the risk of exploitation.