[Bug][Security]Yarn audit - @datadog/pprof>protobufjs - high Prototype Pollution in protobufjs #2127
Description
Expected behaviour
No vulnerability listed
Actual behaviour
high Prototype Pollution in protobufjs
- Module: [protobufjs](https://npmjs.com/package/protobufjs)
- Installed version: 6.11.2
- Published: 28/05/2022, 02:00:20
- CWE-1321
- CVE-2022-25878
- Vulnerable: <6.11.3
- Patched: >=6.11.3
Overview
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.
This vulnerability can occur in multiple ways:
- by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
- by parsing/loading .proto files
Remediation
Upgrade to version 6.11.3 or later
Steps to reproduce
install dd-trace latest - 2.9.1
Environment
- Operation system:
- mac os big
- Node.js version:
- 16.15.1
- Tracer version:
- Agent version:
- Relevant library versions:
Please update @datadog/pprof package version to fix this issue