protobufjs 8.1.5-experimental

Direct Vulnerabilities

Known vulnerabilities in the protobufjs package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Uncontrolled Recursion protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Uncontrolled Recursion through the `Root.fromJSON` or `Namespace.addJSON` functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions. Note: This is only exploitable if all of the following conditions are met: The application must load JSON descriptor data influenced by an attacker. The crafted descriptor must contain deeply nested nested namespace objects. The affected `Root.fromJSON()` / `Namespace.addJSON()` descriptor expansion path must process the crafted input. How to fix Uncontrolled Recursion? Upgrade `protobufjs` to version 7.5.8, 8.2.0 or higher.	<7.5.8>=8.0.0 <8.2.0
M Improper Handling of Unicode Encoding protobufjs is a protocol buffer for JavaScript (& TypeScript). Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious sequences that decode to canonical characters. This is only exploitable if the application decodes protobuf binary data using the minimal UTF-8 decoder and relies on byte-level filtering before string decoding. How to fix Improper Handling of Unicode Encoding? Upgrade `protobufjs` to version 7.5.6, 8.0.2, 8.0.3, 8.2.0 or higher.	<7.5.6>=8.0.0-experimental <8.0.2>=8.0.3-experimental <8.0.3>=8.0.4-experimental <8.2.0

Vulnerability

Vulnerable Version

Uncontrolled Recursion

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion through the Root.fromJSON or Namespace.addJSON functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions.

Note:

This is only exploitable if all of the following conditions are met:

The application must load JSON descriptor data influenced by an attacker.
The crafted descriptor must contain deeply nested nested namespace objects.
The affected Root.fromJSON() / Namespace.addJSON() descriptor expansion path must process the crafted input.

How to fix Uncontrolled Recursion?

Upgrade protobufjs to version 7.5.8, 8.2.0 or higher.

<7.5.8>=8.0.0 <8.2.0

Improper Handling of Unicode Encoding

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious sequences that decode to canonical characters. This is only exploitable if the application decodes protobuf binary data using the minimal UTF-8 decoder and relies on byte-level filtering before string decoding.

How to fix Improper Handling of Unicode Encoding?

Upgrade protobufjs to version 7.5.6, 8.0.2, 8.0.3, 8.2.0 or higher.

<7.5.6>=8.0.0-experimental <8.0.2>=8.0.3-experimental <8.0.3>=8.0.4-experimental <8.2.0

protobufjs@8.1.5-experimental

Protocol Buffers for JavaScript & TypeScript.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically