High severity8.8GHSA Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-44293

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
protobufjsnpm	< 7.5.6	7.5.6
protobufjsnpm	>= 8.0.0, < 8.0.2	8.0.2

Affected products

Protobufjs/Protobuf.jsGHSA
Range: >= 8.0.0, <= 8.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-66ff-xgx4-vchmghsaADVISORY
github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchmnvdVendor AdvisoryMitigationWEB
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6ghsaWEB
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000