Vulnerability	Vulnerable Version
H Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution. A user-controlled protobuf message can be used by an attacker to pollute the prototype of `Object.prototype` by adding and overwriting its data and functions. Exploitation can involve: using the function parse to parse protobuf messages on the fly, loading `.proto` files by using `load/loadSync` functions, or providing untrusted input to the functions `ReflectionObject.setParsedOption` and `util.setProperty` Note: This is a different issue from CVE-2022-25878 Users who use this package from npm can rest assured that version 7.2.4 includes the fixed code. Developers using this package from a different CDN should consider 7.2.5 as the fixed version. How to fix Prototype Pollution? Upgrade `protobufjs` to version 6.11.4, 7.2.4 or higher.	>=6.10.0 <6.11.4>=7.2.0 <7.2.4

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve:

using the function parse to parse protobuf messages on the fly,
loading .proto files by using load/loadSync functions, or
providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty

Note:

This is a different issue from CVE-2022-25878
Users who use this package from npm can rest assured that version 7.2.4 includes the fixed code.

Developers using this package from a different CDN should consider 7.2.5 as the fixed version.

How to fix Prototype Pollution?

Upgrade protobufjs to version 6.11.4, 7.2.4 or higher.

>=6.10.0 <6.11.4>=7.2.0 <7.2.4

Go back to all versions of this package