Skip to content

[GHSA-66ff-xgx4-vchm] protobuf.js: Code injection through bytes field defaults in generated toObject code#7689

Closed
tijuks wants to merge 2 commits into
tijuks/advisory-improvement-7689from
tijuks-GHSA-66ff-xgx4-vchm
Closed

[GHSA-66ff-xgx4-vchm] protobuf.js: Code injection through bytes field defaults in generated toObject code#7689
tijuks wants to merge 2 commits into
tijuks/advisory-improvement-7689from
tijuks-GHSA-66ff-xgx4-vchm

Conversation

@tijuks

@tijuks tijuks commented May 14, 2026

Copy link
Copy Markdown

Updates

  • Affected products

Comments
Improve

@github

github commented May 14, 2026

Copy link
Copy Markdown
Collaborator

Hi there @dcodeIO! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to tijuks/advisory-improvement-7689 May 14, 2026 05:26
@github

github commented May 15, 2026

Copy link
Copy Markdown
Collaborator

Hi there @dcodeIO! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@dcodeIO

dcodeIO commented May 15, 2026

Copy link
Copy Markdown

This proposed change is wrong and should be rejected.

The advisory is about code injection in protobufjs generated toObject code via schema-controlled bytes defaults. There is no LDAP query handling here, and no communication-channel source verification issue. Adding CWE-90 and CWE-940 is unsupported, and the expanded summary is generic CWE text that misrepresents the vulnerability.

I am blocking this as invalid, and I would appreciate not being pinged again for unsupported advisory edits of this kind.

@github-actions

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jun 17, 2026
@tijuks

tijuks commented Jun 17, 2026

Copy link
Copy Markdown
Author

You have to give it time I don't like the laxity and single minded decisions for open source this is infact wrong so irrational!!!!!!!!?

@github-actions github-actions Bot deleted the tijuks-GHSA-66ff-xgx4-vchm branch June 17, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants