bug: protobufjs vulnerability CVE-2023-36665

[axi92]

Plugin(s)

• Analytics
• App
• App Check
• Authentication
• Crashlytics
• Cloud Messaging
• Performance
• Remote Config

Did you test the latest version?

• I use the latest version

Platform(s)

• Android
• iOS
• Web

Current behavior

Vulnerability: CVE-2023-36665

Npm audit gives the following output:

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install firebase@8.6.8, which is a breaking change
node_modules/@grpc/grpc-js/node_modules/protobufjs
node_modules/protobufjs
  @grpc/proto-loader  0.6.0-pre1 - 0.6.13
  Depends on vulnerable versions of protobufjs
  node_modules/@grpc/proto-loader
    @firebase/firestore  <=0.0.900-exp.f43d0c698 || 2.3.7-202151602035 - 2.3.7-canary.f6e1645ef || >=2.3.8-20216122160
    Depends on vulnerable versions of @grpc/proto-loader
    node_modules/@firebase/firestore
      @firebase/firestore-compat  *
      Depends on vulnerable versions of @firebase/firestore
      node_modules/@firebase/firestore-compat
        firebase  0.900.22 || 7.9.1-0 - 7.9.1-canary.0396117e || 8.6.8-202151602035 - 8.6.8-canary.f6e1645ef || >=8.7.0-20216122160
        Depends on vulnerable versions of @firebase/firestore
        Depends on vulnerable versions of @firebase/firestore-compat
        node_modules/firebase

semver  6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@capacitor/cli/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/eslint-plugin-import/node_modules/semver
node_modules/eslint/node_modules/semver

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/optionator

8 vulnerabilities (3 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Firebase 10.0.0 got that fixed but they have breaking changes: https://firebase.google.com/support/release-notes/js#version_9210_-_april_27_2023

Expected behavior

No vulnerabilities if fixable

Reproduction

https://github.com/capawesome-team/capacitor-firebase

Steps to reproduce

1. npm i
2. npm audit on messaging package

Other information

If I can help in any other way, just let me know =)

Capacitor doctor

Latest Dependencies:

  @capacitor/cli: 5.1.1
  @capacitor/core: 5.1.1
  @capacitor/android: 5.1.1
  @capacitor/ios: 5.1.1

Installed Dependencies:

  @capacitor/cli: 5.1.0
  @capacitor/core: 5.1.0
  @capacitor/android: 5.1.0
  @capacitor/ios: 5.1.0

Before submitting

• I understand that incomplete issues (e.g. without reproduction) are closed.

[axi92]

I just saw this PR #403 should this fix this problem?

Npm audit does not

Edit:
Never mind I just checked that firebase does not fix it in 10.0.0

$ npm ls protobufjs
└─┬ firebase@10.0.0
  └─┬ @firebase/firestore@4.0.0
    ├─┬ @grpc/grpc-js@1.7.3
    │ └─┬ @grpc/proto-loader@0.7.7
    │   └── protobufjs@7.2.4
    └─┬ @grpc/proto-loader@0.6.13
      └── protobufjs@6.11.3

There is already an issue firebase/firebase-js-sdk#7431

[robingenz]

I am closing this issue because it depends on @firebase/firestore and cannot be fixed in this project.