protobufjs 8.0.1-experimental

Direct Vulnerabilities

Known vulnerabilities in the protobufjs package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Arbitrary Code Injection via the `pbjs` static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the application or build process. Note: This is only exploitable if the application or build process runs `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker, the generated JavaScript file is subsequently executed or imported, and an affected generated API path is invoked. How to fix Arbitrary Code Injection? Upgrade `protobufjs` to version 7.6.2, 8.5.0 or higher.	<7.6.2>=8.0.0-experimental <8.5.0
H Uncontrolled Recursion protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested `Any` values that are expanded during conversion. This is only exploitable if the application decodes attacker-influenced protobuf binary data, the schema includes `google.protobuf.Any`, the referenced `type_url` resolves to a loaded message type, and the application converts the decoded message to JSON or a plain object through an affected conversion path with deeply nested `Any` values. How to fix Uncontrolled Recursion? Upgrade `protobufjs` to version 7.6.1, 8.4.1 or higher.	<7.6.1>=8.0.0 <8.4.1
M Improper Check for Unusual or Exceptional Conditions protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of service for the relevant processing path, by providing or influencing protobuf schemas or JSON descriptors containing problematic names such as `hasOwnProperty`, `$type`, or `rpcCall`. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `protobufjs` to version 7.6.3, 8.6.0 or higher.	<7.6.3>=8.0.0 <8.6.0
H Arbitrary Code Injection protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Arbitrary Code Injection via the `pbjs` static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the application or build process. How to fix Arbitrary Code Injection? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
M Uncontrolled Recursion protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Uncontrolled Recursion through the `Root.fromJSON` or `Namespace.addJSON` functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions. Note: This is only exploitable if all of the following conditions are met: The application must load JSON descriptor data influenced by an attacker. The crafted descriptor must contain deeply nested nested namespace objects. The affected `Root.fromJSON()` / `Namespace.addJSON()` descriptor expansion path must process the crafted input. How to fix Uncontrolled Recursion? Upgrade `protobufjs` to version 7.5.8, 8.2.0 or higher.	<7.5.8>=8.0.0 <8.2.0
H Arbitrary Code Injection protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Arbitrary Code Injection in the `toObject` function when handling a schema-controlled `bytes` field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a `bytes` field, which is then used in the generated conversion function. How to fix Arbitrary Code Injection? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
M Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution via schema option path handling. An attacker can perform prototype pollution by supplying a crafted protobuf schema or JSON descriptor whose option paths traverse inherited properties, allowing writes to global JavaScript constructors and corrupting process-wide state, leading to persistent denial of service. Note: This is only exploitable if the application allows an attacker to control or influence a protobuf schema or JSON descriptor and parses or loads that schema through reflection APIs such as `parse`, `Root.load`, `Root.loadSync`, or `Root.fromJSON`, with crafted input containing option paths that reach unsafe inherited properties during option processing. How to fix Prototype Pollution? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
M Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution in the process of copying enumerable properties from a user-supplied object to a generated message instance without filtering the `__proto__` property. An attacker can alter the prototype of individual message instances by supplying an object containing an own enumerable `__proto__` property. Note: This is only exploitable if the application allows plain objects to be passed to message constructors or creation helpers that copy arbitrary enumerable properties. How to fix Prototype Pollution? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
H Prototype Pollution protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting `Object.prototype` prior to invoking the affected process. Note: This is only exploitable if the application uses protobufjs functionality that generates encode or decode code for affected types. How to fix Prototype Pollution? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
M Improper Check for Unusual or Exceptional Conditions protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions when handling field names containing control characters in schemas or JSON descriptors. An attacker can cause runtime errors and disrupt application functionality by supplying crafted schemas or descriptors that trigger syntax errors during code generation. Note: This is only exploitable if the application loads untrusted schemas or descriptors and performs operations that trigger code generation, such as encode, decode, verify, `fromObject`, or `toObject`. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
H Uncontrolled Recursion protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Uncontrolled Recursion through unbounded recursion when decoding nested message fields. An attacker can exhaust the call stack and cause the application to crash by supplying specially crafted protobuf binary data containing deeply nested structures. How to fix Uncontrolled Recursion? Upgrade `protobufjs` to version 7.5.6, 8.0.2 or higher.	<7.5.6>=8.0.0-experimental <8.0.2
M Improper Handling of Unicode Encoding protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious sequences that decode to canonical characters. This is only exploitable if the application decodes protobuf binary data using the minimal UTF-8 decoder and relies on byte-level filtering before string decoding. How to fix Improper Handling of Unicode Encoding? Upgrade `protobufjs` to version 7.5.6, 8.0.2, 8.0.3, 8.2.0 or higher.	<7.5.6>=8.0.0-experimental <8.0.2>=8.0.3-experimental <8.0.3>=8.0.4-experimental <8.2.0
C Arbitrary Code Injection protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's `name` field. An attacker can execute arbitrary JavaScript code by injecting malicious payloads into the protobuf definition, which are then executed during object decoding. Notes: The vulnerability was introduced during the migration to codegen 2 where sanitization of the type name was modified. Additional security measures were introduced in `@protobufjs/codegen@2.0.5`, which could hinder exploitation on vulnerable versions. How to fix Arbitrary Code Injection? Upgrade `protobufjs` to version 6.11.6, 7.5.5, 8.0.1 or higher.	>=6.8.0 <6.11.6>=7.0.0 <7.5.5>=8.0.0-experimental <8.0.1

Vulnerability

Vulnerable Version

Arbitrary Code Injection

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the application or build process.

Note:

This is only exploitable if the application or build process runs pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker, the generated JavaScript file is subsequently executed or imported, and an affected generated API path is invoked.

How to fix Arbitrary Code Injection?

Upgrade protobufjs to version 7.6.2, 8.5.0 or higher.

<7.6.2>=8.0.0-experimental <8.5.0

Uncontrolled Recursion

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested Any values that are expanded during conversion. This is only exploitable if the application decodes attacker-influenced protobuf binary data, the schema includes google.protobuf.Any, the referenced type_url resolves to a loaded message type, and the application converts the decoded message to JSON or a plain object through an affected conversion path with deeply nested Any values.

How to fix Uncontrolled Recursion?

Upgrade protobufjs to version 7.6.1, 8.4.1 or higher.

<7.6.1>=8.0.0 <8.4.1

Improper Check for Unusual or Exceptional Conditions

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of service for the relevant processing path, by providing or influencing protobuf schemas or JSON descriptors containing problematic names such as hasOwnProperty, $type, or rpcCall.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade protobufjs to version 7.6.3, 8.6.0 or higher.

<7.6.3>=8.0.0 <8.6.0

Arbitrary Code Injection

protobufjs is a protocol buffer for JavaScript (& TypeScript).

How to fix Arbitrary Code Injection?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Uncontrolled Recursion

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion through the Root.fromJSON or Namespace.addJSON functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions.

Note:

This is only exploitable if all of the following conditions are met:

The application must load JSON descriptor data influenced by an attacker.
The crafted descriptor must contain deeply nested nested namespace objects.
The affected Root.fromJSON() / Namespace.addJSON() descriptor expansion path must process the crafted input.

How to fix Uncontrolled Recursion?

Upgrade protobufjs to version 7.5.8, 8.2.0 or higher.

<7.5.8>=8.0.0 <8.2.0

Arbitrary Code Injection

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a bytes field, which is then used in the generated conversion function.

How to fix Arbitrary Code Injection?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution via schema option path handling. An attacker can perform prototype pollution by supplying a crafted protobuf schema or JSON descriptor whose option paths traverse inherited properties, allowing writes to global JavaScript constructors and corrupting process-wide state, leading to persistent denial of service.

Note: This is only exploitable if the application allows an attacker to control or influence a protobuf schema or JSON descriptor and parses or loads that schema through reflection APIs such as parse, Root.load, Root.loadSync, or Root.fromJSON, with crafted input containing option paths that reach unsafe inherited properties during option processing.

How to fix Prototype Pollution?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution in the process of copying enumerable properties from a user-supplied object to a generated message instance without filtering the __proto__ property. An attacker can alter the prototype of individual message instances by supplying an object containing an own enumerable __proto__ property.

Note: This is only exploitable if the application allows plain objects to be passed to message constructors or creation helpers that copy arbitrary enumerable properties.

How to fix Prototype Pollution?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Prototype Pollution

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting Object.prototype prior to invoking the affected process.

Note: This is only exploitable if the application uses protobufjs functionality that generates encode or decode code for affected types.

How to fix Prototype Pollution?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Improper Check for Unusual or Exceptional Conditions

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions when handling field names containing control characters in schemas or JSON descriptors. An attacker can cause runtime errors and disrupt application functionality by supplying crafted schemas or descriptors that trigger syntax errors during code generation.

Note: This is only exploitable if the application loads untrusted schemas or descriptors and performs operations that trigger code generation, such as encode, decode, verify, fromObject, or toObject.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Uncontrolled Recursion

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion through unbounded recursion when decoding nested message fields. An attacker can exhaust the call stack and cause the application to crash by supplying specially crafted protobuf binary data containing deeply nested structures.

How to fix Uncontrolled Recursion?

Upgrade protobufjs to version 7.5.6, 8.0.2 or higher.

<7.5.6>=8.0.0-experimental <8.0.2

Improper Handling of Unicode Encoding

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious sequences that decode to canonical characters. This is only exploitable if the application decodes protobuf binary data using the minimal UTF-8 decoder and relies on byte-level filtering before string decoding.

How to fix Improper Handling of Unicode Encoding?

Upgrade protobufjs to version 7.5.6, 8.0.2, 8.0.3, 8.2.0 or higher.

<7.5.6>=8.0.0-experimental <8.0.2>=8.0.3-experimental <8.0.3>=8.0.4-experimental <8.2.0

Arbitrary Code Injection

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code by injecting malicious payloads into the protobuf definition, which are then executed during object decoding.

Notes:

The vulnerability was introduced during the migration to codegen 2 where sanitization of the type name was modified.
Additional security measures were introduced in @protobufjs/codegen@2.0.5, which could hinder exploitation on vulnerable versions.

How to fix Arbitrary Code Injection?

Upgrade protobufjs to version 6.11.6, 7.5.5, 8.0.1 or higher.

>=6.8.0 <6.11.6>=7.0.0 <7.5.5>=8.0.0-experimental <8.0.1

protobufjs@8.0.1-experimental

Protocol Buffers for JavaScript & TypeScript.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically