Denial of Service in protobufjs · CVE-2018-3738 · GitHub Advisory Database · GitHub

Denial of Service in protobufjs

Moderate severity GitHub Reviewed Published Oct 9, 2018 to the GitHub Advisory Database • Updated Apr 11, 2023

Package

protobufjs (npm)

Affected versions

>= 6.0.0, < 6.8.6

< 5.0.3

Patched versions

6.8.6

5.0.3

Description

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.

Recommendation

Update to version 5.0.3, 6.8.6 or later.

References

Published by the National Vulnerability Database

Jun 7, 2018

Published to the GitHub Advisory Database Oct 9, 2018

Reviewed Jun 16, 2020

Last updated Apr 11, 2023

Severity

Moderate

5.5

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H