2 matches found
GHSA-JGGG-4JG4-V7C6 protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
Summary protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON and Namespace.addJSON. A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. Impact An...
GHSA-66FF-XGX4-VCHM protobuf.js: Code injection through bytes field defaults in generated toObject code
Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...