CVE-2020-7768
HIGH7.5EPSS 1.3%Prototype pollution in grpc and @grpc/grpc-js
Published: 5/10/2021Modified: 1/14/2025
Description
"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition."
Affected packages (2)
- npm/grpcfrom 0, < 1.24.4
- npm/@grpc/grpc-jsfrom 0, < 1.1.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7768
- WEBhttps://github.com/grpc/grpc-node/pull/1605
- WEBhttps://github.com/grpc/grpc-node/pull/1606
- WEBhttps://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819
- WEBhttps://snyk.io/vuln/SNYK-JS-GRPC-598671
- WEBhttps://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818
- WEBhttps://www.npmjs.com/package/grpc
- WEBhttps://www.npmjs.com/package/@grpc/grpc-js