firebase-functions-4.4.1.tgz: 1 vulnerabilities (highest severity is: 9.8)

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - firebase-functions-4.4.1.tgz</summary>


Path to dependency file: /package.json
Path to vulnerable library: /node_modules/protobufjs/package.json


</details>

## Vulnerabilities

| Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Dependency | Type | Fixed in (firebase-functions version) | Remediation Possible** |
| ------------- | ------------- | ----- | ----- | ----- | ------------- | --- |
| [CVE-2023-36665](https://www.mend.io/vulnerability-database/CVE-2023-36665) | <img src='https://whitesource-resources.whitesourcesoftware.com/critical_vul.png?' width=19 height=20> Critical | 9.8 | protobufjs-7.2.4.tgz | Transitive | N/A* | &#10060; |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

## Details

<details>

<summary><img src='https://whitesource-resources.whitesourcesoftware.com/critical_vul.png?' width=19 height=20> CVE-2023-36665</summary>


### Vulnerable Library - protobufjs-7.2.4.tgz


Library home page: <a href="https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz">https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz</a>
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/protobufjs/package.json


Dependency Hierarchy:
 - firebase-functions-4.4.1.tgz (Root Library)
 - :x: **protobufjs-7.2.4.tgz** (Vulnerable Library)
Found in base branch: main




### Vulnerability Details
 
 
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2023-36665>CVE-2023-36665</a>




### CVSS 3 Score Details (9.8)


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: High
 - Integrity Impact: High
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.




</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

firebase-functions-4.4.1.tgz: 1 vulnerabilities (highest severity is: 9.8) #20

Vulnerabilities

Details

Vulnerable Library - protobufjs-7.2.4.tgz

Vulnerability Details

CVSS 3 Score Details (9.8)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

firebase-functions-4.4.1.tgz: 1 vulnerabilities (highest severity is: 9.8) #20

Description

Vulnerabilities

Details

Vulnerable Library - protobufjs-7.2.4.tgz

Vulnerability Details

CVSS 3 Score Details (9.8)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions