Protobufjs Project: >> Protobufjs >> 0.9.12 Security Vulnerabilities
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
CVSS Score
9.4
EPSS Score
0.001
Published
2026-04-18
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
CVSS Score
8.2
EPSS Score
0.004
Published
2022-05-27
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.
CVSS Score
5.5
EPSS Score
0.002
Published
2018-06-07