Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vuln prototype pollution in dependency protobufjs #453

Closed
a1300 opened this issue Jul 19, 2023 · 2 comments · Fixed by #468
Closed

vuln prototype pollution in dependency protobufjs #453

a1300 opened this issue Jul 19, 2023 · 2 comments · Fixed by #468

Comments

@a1300
Copy link

a1300 commented Jul 19, 2023

Reproduction:

git clone https://github.com/ChainSafe/js-libp2p-gossipsub
cd js-libp2p-gossipsub

git checkout 89c82f6c06ee29e0b7c84ef4165ba38ff672394c
npm ci

npm audit
# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install protobufjs@7.2.4, which is a breaking change
node_modules/protobufjs
node_modules/protons-runtime/node_modules/protobufjs

...
...
...
@twoeths
Copy link
Contributor

twoeths commented Jul 21, 2023

should be fixed by #318

@syonfox
Copy link

syonfox commented Jul 30, 2023 

node_modules/protobufjs
  @chainsafe/libp2p-gossipsub  >=3.5.0
  Depends on vulnerable versions of protobufjs
  node_modules/@chainsafe/libp2p-gossipsub
    helia  >=1.1.0
    Depends on vulnerable versions of @chainsafe/libp2p-gossipsub
    node_modules/helia

3 high severity vulnerabilities

here is vs 6.??

js-libp2p-gossipsub/package.json

Line 94 in 83b8e61

"protobufjs": "^6.11.2",

What version of protobufjs should libp2p-gossiphub change to?

if it is fixed what version gossiphub has the fix for helia? Thanks. cool stuff guys

This was referenced Jul 30, 2023
Closed
Closed
@twoeths twoeths mentioned this issue Jul 31, 2023
Closed
@twoeths twoeths mentioned this issue Oct 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@syonfox @twoeths @a1300