protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-674

CWE-754

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7

[{"vendor":"protobufjs","product":"protobuf.js","versions":[{"version":"< 7.6.3","status":"affected"},{"version":">= 8.0.0, < 8.6.0","status":"affected"}]}]