CVE-2026-44291

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.

Vulnerability Details

Published Date

May 12, 2026

Last Modified

May 14, 2026

CWE ID

CWE-94

Source

GitHub

Vendor

npm

Product

protobufjs

External References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
https://github.com/advisories/GHSA-75px-5xx7-5xc7

CVE-2026-44291

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment