Fix CVE–2022–25878

[debricked]

CVE–2022–25878

Vulnerable dependency:     protobufjs (npm)    6.11.2

Vulnerability details

Description

NVD

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

GitHub

Prototype Pollution in protobufjs

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.

This vulnerability can occur in multiple ways:

1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
2. by parsing/loading .proto files

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	High
Availability	None

References

    NVD - CVE-2022-25878
    Prototype Pollution in protobufjs · CVE-2022-25878 · GitHub Advisory Database · GitHub
    fix: do not let setProperty change the prototype (#1731) · protobufjs/protobuf.js@b5f1391 · GitHub
    THIRD PARTY
    fix: do not let setProperty change the prototype by alexander-fenster · Pull Request #1731 · protobufjs/protobuf.js · GitHub
    GitHub - protobufjs/protobuf.js: Protocol Buffers for JavaScript (& TypeScript).
    protobuf.js/util.js at d13d5d5688052e366aa2e9169f50dfca376b32cf · protobufjs/protobuf.js · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

[FOSSAware]

Fix CVE–2022–25878