CVE-2023-36665

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-36665
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36665.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-36665
Aliases
Published
2023-07-05T14:15:09Z
Modified
2025-01-08T15:05:16.624390Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type
GIT
Repo
https://github.com/protobufjs/protobuf.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e66379f451b0393c27d87b37fa7d271619e16b0d
Fixed
e66379f451b0393c27d87b37fa7d271619e16b0d

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.5.0
6.5.1
6.5.2
6.5.3
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
6.8.7
6.8.8

protobufjs-cli-v1.*

protobufjs-cli-v1.0.0
protobufjs-cli-v1.0.1
protobufjs-cli-v1.0.2
protobufjs-cli-v1.1.0
protobufjs-cli-v1.1.1

protobufjs-v7.*

protobufjs-v7.0.0
protobufjs-v7.1.0
protobufjs-v7.1.1
protobufjs-v7.1.2
protobufjs-v7.2.0
protobufjs-v7.2.1
protobufjs-v7.2.2
protobufjs-v7.2.3

v6.*

v6.10.0
v6.10.0-beta.0
v6.10.0-beta.1
v6.10.0-beta.2
v6.10.1
v6.10.1-beta.0
v6.10.2
v6.9.0
v6.9.0-beta.0