We found a prototype pollution vulnerability in protobufjs: CVE-2023-36665 🚨
Snyk CVSS Score: 8.6 (high)
Affected applications are at risk of remote code execution and denial of service attacks. The vulnerability was found by our open-source JavaScript fuzzer Jazzer.js, running in Google's OSS-Fuzz.
Mitigation:
Versions from 6.10.0 to 7.2.4 are affected and hence vulnerable to prototype pollution. The maintainer issued an update that fixed this vulnerability on April 18, 2023. We strongly recommend that impacted users upgrade to newer versions that include the fixes, i.e., version 7.2.4 and above.
Hats off to our colleague Peter for writing the bug detector and disclosing the vulnerability to the project maintainer 🙌
More info in our blog: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665