You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
protobufjs 6.10.0 - 7.2.3 Severity: high
protobufjs Prototype Pollution vulnerability - GHSA-h755-8qp9-cq85 No fix available
node_modules/protobufjs
@cerbos/grpc *
Depends on vulnerable versions of protobufjs
node_modules/@cerbos/grpc
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
The text was updated successfully, but these errors were encountered:
haines
changed the title
Security advice
protobufjs Prototype Pollution vulnerability (CVE-2023-36665)
Jul 11, 2023
Hi @NormandoHall, thanks for reporting this. This vulnerability does not affect @cerbos/grpc because it relates to parsing untrusted .proto files. We only rely on protobufjs for serialization and deserialization of the protobuf binary wire format, which is unrelated.
We will update to protobufjs 7.2.4 to silence this false positive as soon as possible. We inherit the dependency from ts-proto, and work is underway there to update to the fixed version (stephenh/ts-proto#834, stephenh/ts-proto#874). Once that is merged and released, I'll cut a new release of @cerbos/grpc with the updated dependency.
npm audit report
protobufjs 6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - GHSA-h755-8qp9-cq85
No fix available
node_modules/protobufjs
@cerbos/grpc *
Depends on vulnerable versions of protobufjs
node_modules/@cerbos/grpc
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
The text was updated successfully, but these errors were encountered: