{"url":"http://public2.vulnerablecode.io/api/packages/569453?format=json","purl":"pkg:npm/protobufjs@4.0.0","type":"npm","namespace":"","name":"protobufjs","version":"4.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.5.6","latest_non_vulnerable_version":"8.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67699?format=json","vulnerability_id":"VCID-6nmq-6d5d-4udh","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44293.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44293.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44293","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18417","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44293"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477104","reference_id":"2477104","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477104"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44293","reference_id":"CVE-2026-44293","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44293"},{"reference_url":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","reference_id":"GHSA-66ff-xgx4-vchm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-66ff-xgx4-vchm"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm","reference_id":"GHSA-66ff-xgx4-vchm","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-14T15:59:34Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44293","GHSA-66ff-xgx4-vchm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6nmq-6d5d-4udh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67613?format=json","vulnerability_id":"VCID-a74m-ddhb-7bgs","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44292","reference_id":"","reference_type":"","scores":[{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24546","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44292"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44292","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44292"},{"reference_url":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","reference_id":"GHSA-fx83-v9x8-x52w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fx83-v9x8-x52w"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w","reference_id":"GHSA-fx83-v9x8-x52w","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T13:59:48Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44292","GHSA-fx83-v9x8-x52w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a74m-ddhb-7bgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68017?format=json","vulnerability_id":"VCID-agcx-f3qr-8fce","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44288.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44288.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44288","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02122","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44288"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44288","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44288"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477083","reference_id":"2477083","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477083"},{"reference_url":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","reference_id":"GHSA-q6x5-8v7m-xcrf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf","reference_id":"GHSA-q6x5-8v7m-xcrf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:33:40Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44288","GHSA-q6x5-8v7m-xcrf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-agcx-f3qr-8fce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67982?format=json","vulnerability_id":"VCID-cset-c4xv-sfdk","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44294","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14075","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44294"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44294","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44294"},{"reference_url":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","reference_id":"GHSA-2pr8-phx7-x9h3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3","reference_id":"GHSA-2pr8-phx7-x9h3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:34:24Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44294","GHSA-2pr8-phx7-x9h3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cset-c4xv-sfdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67667?format=json","vulnerability_id":"VCID-jpgw-z2qb-47hp","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44290","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34023","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44290"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44290","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44290"},{"reference_url":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","reference_id":"GHSA-jvwf-75h9-cwgg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg","reference_id":"GHSA-jvwf-75h9-cwgg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T13:44:00Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44290","GHSA-jvwf-75h9-cwgg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jpgw-z2qb-47hp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81056?format=json","vulnerability_id":"VCID-sbyg-dk24-2kb9","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41242.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41242.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41242","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07698","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41242"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41242","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41242"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459442","reference_id":"2459442","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459442"},{"reference_url":"https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75","reference_id":"535df444ac060243722ac5d672db205e5c531d75","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"},{"reference_url":"https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956","reference_id":"ff7b2afef8754837cc6dc64c864cd111ab477956","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"},{"reference_url":"https://github.com/advisories/GHSA-xq3m-2v4x-88gg","reference_id":"GHSA-xq3m-2v4x-88gg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xq3m-2v4x-88gg"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg","reference_id":"GHSA-xq3m-2v4x-88gg","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5","reference_id":"protobufjs-v7.5.5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1","reference_id":"protobufjs-v8.0.1","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:03:39Z/"}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:21338","reference_id":"RHSA-2026:21338","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:21338"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24977","reference_id":"RHSA-2026:24977","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24977"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373622?format=json","purl":"pkg:npm/protobufjs@7.5.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6nmq-6d5d-4udh"},{"vulnerability":"VCID-a74m-ddhb-7bgs"},{"vulnerability":"VCID-agcx-f3qr-8fce"},{"vulnerability":"VCID-cset-c4xv-sfdk"},{"vulnerability":"VCID-jpgw-z2qb-47hp"},{"vulnerability":"VCID-v9xz-hqym-nffk"},{"vulnerability":"VCID-xgad-rzs5-4fan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/373621?format=json","purl":"pkg:npm/protobufjs@8.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6nmq-6d5d-4udh"},{"vulnerability":"VCID-a74m-ddhb-7bgs"},{"vulnerability":"VCID-agcx-f3qr-8fce"},{"vulnerability":"VCID-cset-c4xv-sfdk"},{"vulnerability":"VCID-jpgw-z2qb-47hp"},{"vulnerability":"VCID-v9xz-hqym-nffk"},{"vulnerability":"VCID-xgad-rzs5-4fan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.1"}],"aliases":["CVE-2026-41242","GHSA-xq3m-2v4x-88gg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sbyg-dk24-2kb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68032?format=json","vulnerability_id":"VCID-v9xz-hqym-nffk","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44291","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06822","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44291"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44291","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44291"},{"reference_url":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","reference_id":"GHSA-75px-5xx7-5xc7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-75px-5xx7-5xc7"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7","reference_id":"GHSA-75px-5xx7-5xc7","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-13T15:31:57Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44291","GHSA-75px-5xx7-5xc7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v9xz-hqym-nffk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67638?format=json","vulnerability_id":"VCID-xgad-rzs5-4fan","summary":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44289","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18586","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44289"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"},{"reference_url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44289"},{"reference_url":"https://github.com/advisories/GHSA-685m-2w69-288q","reference_id":"GHSA-685m-2w69-288q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-685m-2w69-288q"},{"reference_url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-685m-2w69-288q","reference_id":"GHSA-685m-2w69-288q","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:15:09Z/"}],"url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-685m-2w69-288q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375387?format=json","purl":"pkg:npm/protobufjs@7.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@7.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375388?format=json","purl":"pkg:npm/protobufjs@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@8.0.2"}],"aliases":["CVE-2026-44289","GHSA-685m-2w69-288q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xgad-rzs5-4fan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210685?format=json","vulnerability_id":"VCID-yyu7-4myk-mffe","summary":"Prototype Pollution in protobufjs","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25878.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25878.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25878","reference_id":"","reference_type":"","scores":[{"value":"0.00422","scoring_system":"epss","scoring_elements":"0.62517","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25878"},{"reference_url":"https://github.com/protobufjs/protobuf.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js"},{"reference_url":"https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197"},{"reference_url":"https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f"},{"reference_url":"https://github.com/protobufjs/protobuf.js/pull/1731","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/pull/1731"},{"reference_url":"https://github.com/protobufjs/protobuf.js/pull/1735","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/protobufjs/protobuf.js/pull/1735"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2093111","reference_id":"2093111","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2093111"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25878","reference_id":"CVE-2022-25878","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25878"},{"reference_url":"https://github.com/advisories/GHSA-g954-5hwp-pp24","reference_id":"GHSA-g954-5hwp-pp24","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g954-5hwp-pp24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24356?format=json","purl":"pkg:npm/protobufjs@6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6nmq-6d5d-4udh"},{"vulnerability":"VCID-a74m-ddhb-7bgs"},{"vulnerability":"VCID-agcx-f3qr-8fce"},{"vulnerability":"VCID-cset-c4xv-sfdk"},{"vulnerability":"VCID-ej52-5xyw-nyhr"},{"vulnerability":"VCID-jpgw-z2qb-47hp"},{"vulnerability":"VCID-sbyg-dk24-2kb9"},{"vulnerability":"VCID-v9xz-hqym-nffk"},{"vulnerability":"VCID-xgad-rzs5-4fan"},{"vulnerability":"VCID-yyu7-4myk-mffe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/24353?format=json","purl":"pkg:npm/protobufjs@6.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6nmq-6d5d-4udh"},{"vulnerability":"VCID-a74m-ddhb-7bgs"},{"vulnerability":"VCID-agcx-f3qr-8fce"},{"vulnerability":"VCID-cset-c4xv-sfdk"},{"vulnerability":"VCID-ej52-5xyw-nyhr"},{"vulnerability":"VCID-jpgw-z2qb-47hp"},{"vulnerability":"VCID-sbyg-dk24-2kb9"},{"vulnerability":"VCID-v9xz-hqym-nffk"},{"vulnerability":"VCID-xgad-rzs5-4fan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@6.11.3"}],"aliases":["CVE-2022-25878","GHSA-g954-5hwp-pp24"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyu7-4myk-mffe"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/protobufjs@4.0.0"}