{"id":"CVE-2022-25878","details":"The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files","aliases":["GHSA-g954-5hwp-pp24"],"modified":"2026-04-10T04:46:03.828091Z","published":"2022-05-27T20:15:10.663Z","related":["SNYK-JAVA-ORGWEBJARSNPM-2841507","SNYK-JS-PROTOBUFJS-2441248"],"references":[{"type":"WEB","url":"https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/pull/1731"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protobufjs/protobuf.js","events":[{"introduced":"0"},{"fixed":"b130dfd4f06b642d4b7c3ccc9f3f9fb6a6e6ed0d"},{"fixed":"b5f1391dff5515894830a6570e6d73f5511b2e8f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.11.3"}]}}],"versions":["6.0.0","6.0.1","6.0.2","6.1.0","6.1.1","6.2.0","6.2.1","6.3.0","6.3.1","6.4.0","6.4.1","6.4.2","6.4.3","6.4.4","6.4.5","6.4.6","6.5.0","6.5.1","6.5.2","6.5.3","6.6.0","6.6.1","6.6.2","6.6.3","6.6.4","6.6.5","6.7.0","6.7.1","6.7.2","6.7.3","6.8.0","6.8.1","6.8.2","6.8.3","6.8.4","6.8.5","6.8.6","6.8.7","6.8.8","v6.10.0","v6.10.0-beta.0","v6.10.0-beta.1","v6.10.0-beta.2","v6.10.1","v6.10.1-beta.0","v6.10.2","v6.11.0","v6.11.1","v6.11.2","v6.9.0","v6.9.0-beta.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25878.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}