pbf is vulnerable to Code Injection
59
Medium Risk
The pbf/compile module generates JavaScript reader/writer functions from a parsed protobuf schema and interpolates each field.tag value directly into the generated source that is evaluated with new Function. Field tags were not validated, so a crafted schema supplying a string tag containing JavaScript can inject and execute attacker-controlled code when the schema is compiled. This can lead to arbitrary code execution in the process that compiles an untrusted schema. The fix adds a validateTag check that rejects non-integer tags and tags outside the valid protobuf range before code generation.
You are affected if you are using a version that falls within the vulnerable range and your application compiles protobuf schemas from untrusted sources using pbf/compile.
pbf is vulnerable to Code Injection in versions 2.0.0 - 5.1.1.
Upgrade the pbf library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant