24 matches found
CVE-2026-44293
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...
CVE-2026-44293 protobufjs: Code injection through bytes field defaults in generated toObject code
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...
CVE-2026-44293
CVE-2026-44293 affects protobufjs: prior to versions 7.5.6 and 8.0.2, generated JavaScript for toObject conversion could emit attacker-controlled code from a schema-controlled bytes field default value. A crafted descriptor with a non-string default for a bytes field may cause arbitrary JavaScrip...
CVE-2026-44293
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...
CVE-2026-44293 protobufjs: Code injection through bytes field defaults in generated toObject code
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...
protobuf.js 代码注入漏洞
protobuf.js is an open-source implementation of the Protocol Buffers protocol, written entirely in JavaScript. It supports Node.js and browsers with TypeScript. It’s easy to use, extremely fast, and can be used out of the box through.proto files. Versions prior to 7.5.6 and 8.0.2 of protobuf.js h...
GHSA-66FF-XGX4-VCHM protobuf.js: Code injection through bytes field defaults in generated toObject code
Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a byte...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a byte...
NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code
NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...
Arbitrary Code Injection
Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a...
protobuf.js: Code injection through bytes field defaults in generated toObject code
Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...
PT-2026-40539
Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2 Description JavaScript generated for toObject conversion may include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor...
CVE-2026-29063
A flaw was found in Immutable.js, a library for persistent immutable data structures. This vulnerability, known as Prototype Pollution, allows an attacker with low privileges to inject unwanted properties into core JavaScript object prototypes without user interaction. By manipulating specific AP...
CVE-2026-29063
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063
CVE-2026-29063 affects Immutable.js, where prototype pollution is possible via mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs in versions prior to 3.8.3, 4.3.7, and 5.1.5. IBM security bulletins corroborate the issue and list affected IBM products (e.g., Cloud Pak for ...
Immutable is vulnerable to Prototype Pollution
Impact What kind of vulnerability is it? Who is impacted? A Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. Affected APIs | API | Notes | | --------------------------------------- |...