[GHSA-66ff-xgx4-vchm] protobuf.js: Code injection through bytes field defaults in generated toObject code

[tijuks]

Updates

• Affected products

Comments
Improve

[github]

Hi there @dcodeIO! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[github]

Hi there @dcodeIO! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[dcodeIO]

This proposed change is wrong and should be rejected.

The advisory is about code injection in protobufjs generated toObject code via schema-controlled bytes defaults. There is no LDAP query handling here, and no communication-channel source verification issue. Adding CWE-90 and CWE-940 is unsupported, and the expanded summary is generic CWE text that misrepresents the vulnerability.

I am blocking this as invalid, and I would appreciate not being pinged again for unsupported advisory edits of this kind.