CVE-2026-59876

MEDIUM

protobufjs: Text Format string map parsing can mutate returned map object prototype

Title source: cna
STIX 2.1

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.

Scores

CVSS v3 4.8
EPSS 0.0022
EPSS Percentile 12.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-1321
Status published
Products (2)
protobufjs/protobuf.js >= 8.2.0, < 8.6.5
protobufjs_project/protobufjs 8.2.0 - 8.6.5
Published Jul 08, 2026
Tracked Since Jul 08, 2026