Medium severity5.3GHSA Advisory· Published May 13, 2026· Updated May 13, 2026
CVE-2026-44294
CVE-2026-44294
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Affected products
1- Range: >= 8.0.0, <= 8.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2pr8-phx7-x9h3ghsaADVISORY
- github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3nvdMitigationVendor Advisory
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6ghsa
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2ghsa
- nvd.nist.gov/vuln/detail/CVE-2026-44294ghsa
News mentions
0No linked articles in our index yet.