Skip to content

[Aikido] Fix security issue in protobufjs via minor version upgrade from 7.5.3 to 7.6.0#23

Merged
Gldywn merged 1 commit into
mainfrom
fix/aikido-security-update-packages-37565883-7t4s
May 21, 2026
Merged

[Aikido] Fix security issue in protobufjs via minor version upgrade from 7.5.3 to 7.6.0#23
Gldywn merged 1 commit into
mainfrom
fix/aikido-security-update-packages-37565883-7t4s

Conversation

@aikido-autofix
Copy link
Copy Markdown
Contributor

@aikido-autofix aikido-autofix Bot commented May 21, 2026

Upgrade protobufjs to fix critical code injection vulnerability in protobuf type field compilation and medium-severity prototype pollution in message initialization.

⚠️ Breaking changes analysis not available for: protobufjs

✅ 2 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-41242
 
🚨 CRITICAL
 [protobufjs] Arbitrary code injection vulnerability in protobuf type fields allows attackers to execute malicious code during object decoding. This enables remote code execution (RCE) when processing untrusted protobuf definitions. 
AIKIDO-2026-10467
 
MEDIUM
 [protobufjs] Prototype pollution vulnerability in message initialization allows attackers to inject malicious properties via the proto field, enabling prototype chain manipulation and unintended property injection across the application.
🤖 Remediation details

Fix transitive protobufjs vulnerability via lockfile refresh

Short summary

This PR remediates two security vulnerabilities in the transitive dependency protobufjs (one critical, one medium severity). The vulnerable version (7.5.3) was resolved in package-lock.json as a transitive dependency pulled in by the direct dependency @gldywn/crlset.js. No changes to package.json were required; only package-lock.json was updated.

protobufjs

protobufjs@7.5.3 was resolved transitively via @gldywn/crlset.js@1.2.0, which declares it as ^7.5.3. Because the patched minimum (7.5.5) falls within that existing caret range, no manifest edit or override was needed — running npm update protobufjs --package-lock-only was sufficient to advance the lockfile-resolved version to 7.6.0, satisfying both patched version specs (≥ 7.5.5 for the 7.x line). The fix addresses a critical CVE and a medium-severity advisory present in all protobufjs versions below 7.5.5.

Version changes

Package From To Why updated
protobufjs 7.5.3 7.6.0 Transitive CVE fix; semver resolution under @gldywn/crlset.js@1.2.0 (^7.5.3), lockfile-only refresh

@codecov
Copy link
Copy Markdown

codecov Bot commented May 21, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Gldywn Gldywn merged commit 98f5640 into main May 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gldywn