VYPR
Medium severity5.3GHSA Advisory· Published May 13, 2026· Updated May 19, 2026

CVE-2026-44288

CVE-2026-44288

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
protobufjsnpm
< 7.5.67.5.6
protobufjsnpm
>= 8.0.0, < 8.0.28.0.2
@protobufjs/utf8npm
< 1.1.11.1.1

Affected products

29

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.