Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4 #1586

Closed
aramikuto opened this issue Apr 12, 2024 · 4 comments
Closed

CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4 #1586

aramikuto opened this issue Apr 12, 2024 · 4 comments
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@aramikuto
Copy link

Protobufjs was updated to version 7.2.4 in #1466 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.

Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?

├─ firebase-tools@npm:13.7.2 (via npm:^13.7.2)
│  └─ @google-cloud/pubsub@npm:3.7.5 (via npm:^3.0.1)
│     └─ google-gax@npm:3.6.1 (via npm:^3.6.1)
│        ├─ @grpc/grpc-js@npm:1.8.21 (via npm:~1.8.0)
│        │  └─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ proto3-json-serializer@npm:1.1.1 (via npm:^1.0.0)
│        │  └─ protobufjs@npm:7.2.6 (via npm:^7.0.0)
│        └─ protobufjs@npm:7.2.4 (via npm:7.2.4)
@aramikuto aramikuto added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Apr 12, 2024
@scaryguy
Copy link

Same issue for @google-cloud/logging
googleapis/nodejs-logging#1496

@scaryguy scaryguy mentioned this issue Apr 15, 2024
Open
@levyeden levyeden mentioned this issue Apr 18, 2024
Closed
4 tasks
@AlvesJorge
Copy link

AlvesJorge commented Apr 22, 2024
edited

This causes a critical vulnerability in @google-cloud/monitoring

@google-cloud/monitoring@4.0.0
  └─┬ google-gax@4.3.2
    ├─┬ @grpc/proto-loader@0.7.3
    │ └── protobufjs@7.1.2

@kvargha
Copy link

kvargha commented Apr 23, 2024

I'm experiencing this issue for @google-cloud/secret-manager and @google-cloud/datastore.

@leahecole
Copy link
Contributor

I think this is fixed in #1596

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): upgrade protobufjs to 7.2.5 levyeden/gax-nodejs
5 participants
@scaryguy @leahecole @kvargha @AlvesJorge @aramikuto