CVE-2026-44291

HIGH

protobufjs: Code generation gadget after prototype pollution

Title source: cna

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7

Scores

CVSS v3 8.1

EPSS 0.0002

EPSS Percentile 6.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (5)

npm/protobufjs 0 - 7.5.6npm

npm/protobufjs 8.0.0 - 8.0.2npm

protobufjs/protobuf.js < 7.5.6

protobufjs/protobuf.js >= 8.0.0, < 8.0.2

protobufjs_project/protobufjs < 7.5.6

Published May 13, 2026

Tracked Since May 13, 2026