Vulnerability [email protected] lib

[vulh1209]

I got warning about this Vulnerability when scan myproject with Trivy

{
          "VulnerabilityID": "CVE-2023-36665",
          "PkgID": "[email protected]",
          "PkgName": "protobufjs",
          "PkgPath": "app/node_modules/@kafkajs/confluent-schema-registry/node_modules/protobufjs/package.json",
          "InstalledVersion": "6.11.3",
          "FixedVersion": "7.2.4",
          "Status": "fixed",
          "Layer": {
            "DiffID": "sha256:a42bafa0fca343ec50570b732b3254403670a29c699d6785eef1b81789720744"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-36665",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Npm",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
          },
          "Title": "prototype pollution using user-controlled protobuf message",
          "Description": "protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about \"Object.constructor.prototype.\u003cnew-property\u003e = ...;\" whereas CVE-2022-25878 was about \"Object.__proto__.\u003cnew-property\u003e = ...;\" instead.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-1321"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
              "V3Score": 8.6
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2023-36665",
            "https://github.com/advisories/GHSA-h755-8qp9-cq85",
            "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d",
            "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4",
            "https://github.com/protobufjs/protobuf.js/pull/1899",
            "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-36665",
            "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665",
            "https://www.cve.org/CVERecord?id=CVE-2023-36665"
          ],
          "PublishedDate": "2023-07-05T14:15:00Z",
          "LastModifiedDate": "2023-07-12T15:50:00Z"
        }

Can we update protobufjs lib to version 7.2.4 ?

[JamesPatrickGill]

#251 Hi I made a PR here, just waiting for eyes 👀

[JamesPatrickGill]

#251 Hi I made a PR here, just waiting for eyes 👀

Ignore me here, there is a PR that is open for this already #244

[florianmutter]

If you use pnpm you can override the dependency in your package.json like this:

{
  ...
  "pnpm": {
    "overrides": {
      "protobufjs@^6.0.0": "6.11.4"
    }
  }
}

[pwmcintyre]

related: I've raised a ticket with protobufjs, because the patch on 6.11.4 isn't correctly reflecting in many databases.
protobufjs/protobuf.js#2008

[kriskw1999]

Hi, I am closing this one because with the latest release we added support to protobufjs 7.x.x

Thank you for the patience