CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4 #1586
Labels
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Protobufjs was updated to version 7.2.4 in #1466 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.
Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?
The text was updated successfully, but these errors were encountered: