protobufjs 7.6.0

Direct Vulnerabilities

Known vulnerabilities in the protobufjs package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Arbitrary Code Injection via the `pbjs` static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the application or build process. Note: This is only exploitable if the application or build process runs `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker, the generated JavaScript file is subsequently executed or imported, and an affected generated API path is invoked. How to fix Arbitrary Code Injection? Upgrade `protobufjs` to version 7.6.2, 8.5.0 or higher.	<7.6.2>=8.0.0-experimental <8.5.0
H Uncontrolled Recursion protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested `Any` values that are expanded during conversion. This is only exploitable if the application decodes attacker-influenced protobuf binary data, the schema includes `google.protobuf.Any`, the referenced `type_url` resolves to a loaded message type, and the application converts the decoded message to JSON or a plain object through an affected conversion path with deeply nested `Any` values. How to fix Uncontrolled Recursion? Upgrade `protobufjs` to version 7.6.1, 8.4.1 or higher.	<7.6.1>=8.0.0 <8.4.1
M Improper Check for Unusual or Exceptional Conditions protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of service for the relevant processing path, by providing or influencing protobuf schemas or JSON descriptors containing problematic names such as `hasOwnProperty`, `$type`, or `rpcCall`. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `protobufjs` to version 7.6.3, 8.6.0 or higher.	<7.6.3>=8.0.0 <8.6.0

Vulnerability

Vulnerable Version

Arbitrary Code Injection

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the application or build process.

Note:

This is only exploitable if the application or build process runs pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker, the generated JavaScript file is subsequently executed or imported, and an affected generated API path is invoked.

How to fix Arbitrary Code Injection?

Upgrade protobufjs to version 7.6.2, 8.5.0 or higher.

<7.6.2>=8.0.0-experimental <8.5.0

Uncontrolled Recursion

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested Any values that are expanded during conversion. This is only exploitable if the application decodes attacker-influenced protobuf binary data, the schema includes google.protobuf.Any, the referenced type_url resolves to a loaded message type, and the application converts the decoded message to JSON or a plain object through an affected conversion path with deeply nested Any values.

How to fix Uncontrolled Recursion?

Upgrade protobufjs to version 7.6.1, 8.4.1 or higher.

<7.6.1>=8.0.0 <8.4.1

Improper Check for Unusual or Exceptional Conditions

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of service for the relevant processing path, by providing or influencing protobuf schemas or JSON descriptors containing problematic names such as hasOwnProperty, $type, or rpcCall.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade protobufjs to version 7.6.3, 8.6.0 or higher.

<7.6.3>=8.0.0 <8.6.0

protobufjs@7.6.0

Protocol Buffers for JavaScript & TypeScript.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically