High severity8.1GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44291
CVE-2026-44291
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Affected products
1- Range: >= 8.0.0, <= 8.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-75px-5xx7-5xc7ghsaADVISORY
- github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7nvdMitigationVendor Advisory
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6ghsa
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2ghsa
- nvd.nist.gov/vuln/detail/CVE-2026-44291ghsa
News mentions
0No linked articles in our index yet.