protobufjs is vulnerable to regular expression denial of service (ReDoS). The attack can be triggered when the attacker parses or loads .proto
file sources using malicious file or regex or string.
CPE | Name | Operator | Version |
---|---|---|---|
protobufjs | le | 6.8.5 | |
protobufjs | le | 6.7.3 | |
protobufjs | le | 6.8.5 | |
protobufjs | le | 6.7.3 |
github.com/davisjam
github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27
github.com/dcodeIO/protobuf.js/commit/2ee1028d631a328e152d7e09f2a0e0c5c83dc2aa
github.com/dcodeIO/protobuf.js/commit/e7e123aa0b6c05eb4156a761739e37c008a3cbc1
github.com/dcodeIO/protobuf.js/releases
hackerone.com/reports/319576