Protobufjs Prototype Pollution vulnerability

[soodaayush]

Operating System

macOS Ventura 13.4.1

Browser Version

Firefox 115.0.1

Firebase SDK Version

10.0.0

Firebase SDK Product:

Auth, Database

Describe your project's tooling

I use the Firebase SDK for my React Vite website, which stores data and authenticates users.

Describe the problem

I recently got a Dependabot alert in one of my repositories concerning the Protobufjs package, which is a dependency for the Firebase JS package. The Firebase JS package uses version 6.11.3 of Protobufjs, which has vulnerabilities. Dependabot recommends that the dependency be upgraded to at least version 7.2.4.

Steps and code to reproduce issue

1. Initialize a React app via Vite.
2. Install the Firebase JS SDK
3. Create a repository with the code
4. Dependabot will alert you about the vulnerability

[prameshj]

Looks like this is getting fixed in #7428

[hsubox76]

I merged the dependabot PR listed above. This update should go out whenever the next firestore release goes out.

[sceee]

@hsubox76 any chance this will be backported to firebase-js-sdk v8?

For firebase v8.10.1 it looks like this:
firebase v8.10.1 depends on @firebase/firestore": "2.4.1" which depends on @grpc/proto-loader": "^0.6.0" which depends on the vulnerable protobufjs": "^6.11.3".

[Kiblyn11]

@hsubox76

Vulnerability is still here after bump of grpc-js

https://github.com/firebase/firebase-js-sdk/blob/master/packages/firestore/package.json#L100

[VictorUvarov]

I am also getting protobufjs security warning on "firebase": "^10.0.0"

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install firebase@8.6.8, which is a breaking change
node_modules/protobufjs
  @grpc/proto-loader  0.6.0-pre1 - 0.6.13
  Depends on vulnerable versions of protobufjs
  node_modules/@grpc/proto-loader
    @firebase/firestore  <=0.0.900-exp.f43d0c698 || 2.3.7-202151602035 - 2.3.7-canary.f6e1645ef || >=2.3.8-20216122160
    Depends on vulnerable versions of @grpc/proto-loader
    node_modules/@firebase/firestore
      @firebase/firestore-compat  *
      Depends on vulnerable versions of @firebase/firestore
      node_modules/@firebase/firestore-compat
        firebase  0.900.22 || 7.9.1-0 - 7.9.1-canary.0396117e || 8.6.8-202151602035 - 8.6.8-canary.f6e1645ef || >=8.7.0-20216122160
        Depends on vulnerable versions of @firebase/firestore
        Depends on vulnerable versions of @firebase/firestore-compat
        node_modules/firebase

[bilby91]

@firebase/firestore seems to still have a depedency against grpc/proto-loader 0.6.X

[levpachmanov]

Hey @DevBaddy @Kiblyn11 @bilby91 ,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an protobufjs 6.11.3-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.