geobuf is vulnerable to Prototype Pollution
45
Medium Risk
The geobuf decoder builds feature properties objects in readProps by assigning decoded key/value pairs directly onto a plain object. A specially crafted geobuf message can carry a property key such as __proto__, constructor, or prototype, so decoding writes onto the object prototype instead of the properties object. Before the fix this pollutes Object.prototype across the application, enabling property injection and denial of service. The fix drops those unsafe keys while decoding.
You are affected if you are using a version that falls within the vulnerable range and your application decodes untrusted geobuf messages.
geobuf is vulnerable to Prototype Pollution in versions 1.0.0 - 3.0.2.
Upgrade the geobuf library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant