The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. Reference: https://snyk.io/vuln/SNYK-JS-GRPC-598671 Upstream patches: https://github.com/grpc/grpc-node/pull/1605 https://github.com/grpc/grpc-node/pull/1606
Created grpc tracking bugs for this issue: Affects: fedora-all [bug 1897155]
External References: https://snyk.io/vuln/SNYK-JS-GRPC-598671
Statement: This vulnerability is related to the Node.js grpc package (grpc-node and a new version of it @grpc/grpc-js). OpenShift Container Platform (OCP) delivers the grpc package but it is the C based gRPC version which contains source code for gRPC libraries, therefore not affected by this vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7768
The grpc packages in Fedora are for the grpc code from the main repo https://github.com/grpc/grpc and they do not contain code from grpc-node from https://github.com/grpc/grpc-node that is affected by this issue. The grpc-node does not seem to be packaged in Fedora at this time.