Skip to content
This repository was archived by the owner on Mar 19, 2026. It is now read-only.
This repository was archived by the owner on Mar 19, 2026. It is now read-only.

CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4 #216

Closed
googleapis/gax-nodejs
#1611
Closed
CVE-2023-36665 vulnerability is still present in protobufjs 7.2.4#216
googleapis/gax-nodejs
#1611
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@aramikuto

Description

@aramikuto
aramikuto
opened on Apr 12, 2024

Protobufjs was updated to version 7.2.4 in #241 to address the CVE-2023-36665 vulnerability. However, it has been discovered that version 7.2.4 remains vulnerable. The latest version of firebase-tools (v13.7.2 at the monent) still relies on version ^3.6.1 of this package as a peer dependency.

Is it possible to release a patched 3.x version with protobufjs 7.2.5, where the vulnerability has been resolved?

├─ firebase-tools@npm:13.7.2 (via npm:^13.7.2)
│  └─ @google-cloud/pubsub@npm:3.7.5 (via npm:^3.0.1)
│     └─ google-gax@npm:3.6.1 (via npm:^3.6.1)
│        ├─ @grpc/grpc-js@npm:1.8.21 (via npm:~1.8.0)
│        │  └─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ @grpc/proto-loader@npm:0.7.10 (via npm:^0.7.0)
│        ├─ proto3-json-serializer@npm:1.1.1 (via npm:^1.0.0)
│        │  └─ protobufjs@npm:7.2.6 (via npm:^7.0.0)
│        └─ protobufjs@npm:7.2.4 (via npm:7.2.4)

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions