Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affecting anythingllm package, versions *


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1.42% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-ANYTHINGLLM-17377008
  • published19 Jun 2026
  • disclosed5 Jul 2023

Introduced: 5 Jul 2023

CVE-2023-36665  (opens in a new tab)
CWE-1321  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest anythingllm.

NVD Description

Note: Versions mentioned in the description apply only to the upstream anythingllm package and not the anythingllm package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

CVSS Base Scores

version 3.1