{"id":"CVE-2023-36665","details":"\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.","aliases":["GHSA-h755-8qp9-cq85"],"modified":"2026-03-14T12:07:56.706144Z","published":"2023-07-05T14:15:09.410Z","related":["CGA-m777-f762-xj7g"],"references":[{"type":"ADVISORY","url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240628-0006/"},{"type":"FIX","url":"https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/pull/1899"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protobufjs/protobuf.js","events":[{"introduced":"07e8185379d6ca6235b71685566c3ce4f594ed34"},{"fixed":"4436cc748c19b88977ab0dc84e59c42339e00520"},{"fixed":"e66379f451b0393c27d87b37fa7d271619e16b0d"},{"fixed":"42e5a9ca85044800b16e193020e1d4d2e6b4010c"}],"database_specific":{"versions":[{"introduced":"6.10.0"},{"fixed":"7.2.5"}]}}],"versions":["protobufjs-cli-v1.0.0","protobufjs-cli-v1.0.1","protobufjs-cli-v1.0.2","protobufjs-cli-v1.1.0","protobufjs-cli-v1.1.1","protobufjs-v7.0.0","protobufjs-v7.1.0","protobufjs-v7.1.1","protobufjs-v7.1.2","protobufjs-v7.2.0","protobufjs-v7.2.1","protobufjs-v7.2.2","protobufjs-v7.2.3","protobufjs-v7.2.4","v6.10.0","v6.10.1","v6.10.1-beta.0","v6.10.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36665.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}