New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ReDoS Vulnerability due to protobufjs #277
Comments
We can't update to protobufjs6 without doing major damage to our dependents. However, we made a backport of the fix to protobufjs5 (see protobufjs/protobuf.js#1030), and we are now waiting for @dcodeIO to make a protobufjs5 release with this fix in. |
Reopening until that fix is published. |
FYI: Thanks for reminding me, just published 5.0.3. Btw:
This is also true the other way around I'm afraid. On my end I saw significant friction encountered by users trying to use grpc with latest protobuf.js. |
@dcodeIO thanks! As for friction, we've published a separate, new package designed specifically to alleviate upgrade issues with protobufjs in the future. Hopefully this will help. |
The gRPC 1.12.1 release finally got out, and it is now pinning on 5.0.3 that no longer has that vulnerability - not that it was very important anyway, unless you are doing something really wonky like parsing user-provided .proto files instead of using the json representation, but in all cases, it's all good now. At the time of writing this, both nodesecurity and skyx still have outdated information on the status of this problem, and we'll keep trying to get them to amend their databases. |
As a quick update: both nodesecurity and skyx now have proper information about the security fix that happened in protobufjs 5.0.3. |
ReDoS Vulnerability to protobufjs@6.8.5.
Update to protobufjs@6.8.6 is required. See relative commit and protobufjs 6.8.6 release notes
The text was updated successfully, but these errors were encountered: