Prototype pollution vulnerability in Text Format extension
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5. A flaw was found in protobufjs. An attacker could exploit this to alter object behavior, potentially leading to information disclosure or other impacts. This Moderate-impact flaw in protobufjs allows an attacker to perform prototype pollution by providing specially crafted input to the Text Format extension. Red Hat severity: Moderate — CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-915. Under investigation: Cryostat 4; OpenShift Pipelines; OpenShift Service Mesh 3; Red Hat Ansible Automation Platform 2; Red Hat Build of Podman Desktop; Red Hat Ceph Storage 9; Red Hat Developer Hub; Red Hat Enterprise Linux 8; Red Hat OpenShift Container Platform 4; Red Hat Openshift Data Foundation 4; Self-service automation portal 2. Red Hat lists Red Hat Enterprise Linux AI (RHEL AI) 3; Red Hat Hardened Images as not affected.
- 8.6.5
Official advisory · high-confidence parse· fetched 16 minutes ago·verify at source
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 16 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.