High severity8.1GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44291
CVE-2026-44291
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufjsnpm | < 7.5.6 | 7.5.6 |
protobufjsnpm | >= 8.0.0, < 8.0.2 | 8.0.2 |
Affected products
28>= 8.0.0, <= 8.0.1+ 1 more
- (no CPE)range: >= 8.0.0, <= 8.0.1
- cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*range: <7.5.6
- osv-coords26 versionspkg:apk/chainguard/cadence-webpkg:apk/chainguard/gemini-clipkg:apk/chainguard/homepagepkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/librechatpkg:apk/chainguard/opentelemetry-auto-instrumentations-nodepkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/vitess-23pkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/vitess-23pkg:npm/protobufjs
< 4.0.15-r2+ 25 more
- (no CPE)range: < 4.0.15-r2
- (no CPE)range: < 0.44.0-r0
- (no CPE)range: < 1.13.1-r3
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 9.0.8-r29
- (no CPE)range: < 9.0.8-r29
- (no CPE)range: < 9.0.8-r29
- (no CPE)range: < 9.1.10-r18
- (no CPE)range: < 9.1.10-r18
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.4.2-r2
- (no CPE)range: < 9.4.2-r2
- (no CPE)range: < 1.10.0-r21
- (no CPE)range: < 0.8.4-r7
- (no CPE)range: < 0.76.0-r0
- (no CPE)range: < 3.237.0-r1
- (no CPE)range: < 43.170.15-r2
- (no CPE)range: < 23.0.4-r5
- (no CPE)range: < 1.10.0-r21
- (no CPE)range: < 3.237.0-r1
- (no CPE)range: < 43.170.15-r2
- (no CPE)range: < 23.0.4-r5
- (no CPE)range: < 7.5.6
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-75px-5xx7-5xc7ghsaADVISORY
- github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44291ghsaADVISORY
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6ghsaWEB
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2ghsaWEB
News mentions
1- Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoSThe Hacker News · Jun 10, 2026