Vulnerability	Vulnerable Version
H Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution. A user-controlled protobuf message can be used by an attacker to pollute the prototype of `Object.prototype` by adding and overwriting its data and functions. Exploitation can involve: using the function parse to parse protobuf messages on the fly, loading `.proto` files by using `load/loadSync` functions, or providing untrusted input to the functions `ReflectionObject.setParsedOption` and `util.setProperty` Note: This is a different issue from CVE-2022-25878 Users who use this package from npm can rest assured that version 7.2.4 includes the fixed code. Developers using this package from a different CDN should consider 7.2.5 as the fixed version. How to fix Prototype Pollution? Upgrade `protobufjs` to version 6.11.4, 7.2.4 or higher.	>=6.10.0 <6.11.4>=7.2.0 <7.2.4
H Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the `Object.prototype`. This vulnerability can occur in multiple ways: by providing untrusted user input to `util.setProperty` or to `ReflectionObject.setParsedOption` functions by parsing/loading `.proto` files How to fix Prototype Pollution? Upgrade `protobufjs` to version 6.10.3, 6.11.3 or higher.	>=6.10.0 <6.10.3>=6.11.0 <6.11.3

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve:

using the function parse to parse protobuf messages on the fly,
loading .proto files by using load/loadSync functions, or
providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty

Note:

This is a different issue from CVE-2022-25878
Users who use this package from npm can rest assured that version 7.2.4 includes the fixed code.

Developers using this package from a different CDN should consider 7.2.5 as the fixed version.

How to fix Prototype Pollution?

Upgrade protobufjs to version 6.11.4, 7.2.4 or higher.

>=6.10.0 <6.11.4>=7.2.0 <7.2.4

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.

This vulnerability can occur in multiple ways:

by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
by parsing/loading .proto files

How to fix Prototype Pollution?

Upgrade protobufjs to version 6.10.3, 6.11.3 or higher.

>=6.10.0 <6.10.3>=6.11.0 <6.11.3

Go back to all versions of this package