Skip to content

[Aikido] Fix security issue in protobufjs via minor version upgrade from 7.6.0 to 7.6.3 in with-thirdweb#40

Merged
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55973087-nj6l
Jun 26, 2026
Merged

[Aikido] Fix security issue in protobufjs via minor version upgrade from 7.6.0 to 7.6.3 in with-thirdweb#40
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55973087-nj6l

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Upgrade protobufjs to fix property collision vulnerabilities that could cause DoS through exceptions or recursive calls in message decoding and RPC operations.

✅ There are no breaking changes

✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-54269
MEDIUM
[protobufjs] Schema-derived names can collide with protobufjs runtime properties, causing protobufjs to read schema-controlled data instead of expected helpers. This leads to deterministic exceptions or recursive calls in decode, verification, serialization, or RPC operations.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@socket-security

Copy link
Copy Markdown

Dependency limit exceeded — report not shown.

This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report.

Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard.

Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account.

@yosriady yosriady merged commit b788c50 into main Jun 26, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant