Skip to content

CVE-2023-36665 vunerablity in protobufjs >= 6.10.0, < 7.2.4  #879

New issue
New issue
Closed
#885
#883
Closed
CVE-2023-36665 vunerablity in protobufjs >= 6.10.0, < 7.2.4 #879
#885
#883
Assignees
aabmass
Labels
api: cloudprofilerIssues related to the googleapis/cloud-profiler-nodejs API.priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@letsgolesco

Description

@letsgolesco
letsgolesco
opened on Jul 11, 2023

Link to vulnerability report: GHSA-h755-8qp9-cq85

@google-cloud/profiler uses pprof 3.2.0, which in turn uses protobufjs ~7.0.0

The vulnerability has been patched in protobufjs 7.2.4, but pprof still needs to be patched to use the newer version

There's an issue here to track the protobufjs upgrade within pprof: google/pprof-nodejs#256

The pprof version used by @google-cloud/profiler locked to 3.2.0, so it'll need to be bumped when the protobufjs dependency is upgraded

Environment details

  • OS: any
  • Node.js version: any
  • npm version:
  • @google-cloud/profiler version: 5.0.4

Steps to reproduce

  1. Install @google-cloud/profiler
  2. Notice the security vulnerability alert

Metadata

Metadata

Assignees

Labels

api: cloudprofilerIssues related to the googleapis/cloud-profiler-nodejs API.priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions