npm package
protobufjs
pkg:npm/protobufjs
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44294 | Med | 5.3 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int | |
| CVE-2026-44293 | Hig | 8.8 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no | |
| CVE-2026-44292 | Med | 5.3 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message | |
| CVE-2026-44291 | Hig | 8.1 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, | |
| CVE-2026-44290 | Hig | 7.5 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio | |
| CVE-2026-44289 | Hig | 7.5 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. | |
| CVE-2026-44288 | Med | 5.3 | < 7.5.6 | 7.5.6 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can | |
| CVE-2026-41242 | Cri | 9.8 | >= 8.0.0, < 8.0.1 | 8.0.1 | Apr 18, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 an | |
| CVE-2023-36665 | — | >= 7.0.0, < 7.2.5 | 7.2.5 | Jul 5, 2023 | "protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data a | ||
| CVE-2022-25878 | — | >= 6.11.0, < 6.11.3 | 6.11.3 | May 27, 2022 | The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject. | ||
| CVE-2018-3738 | — | >= 6.0.0, < 6.8.6 | 6.8.6 | Jun 7, 2018 | protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files. |
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
- affected < 7.5.6fixed 7.5.6
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can
- affected >= 8.0.0, < 8.0.1fixed 8.0.1
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 an
- CVE-2023-36665Jul 5, 2023affected >= 7.0.0, < 7.2.5fixed 7.2.5
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data a
- CVE-2022-25878May 27, 2022affected >= 6.11.0, < 6.11.3fixed 6.11.3
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.
- CVE-2018-3738Jun 7, 2018affected >= 6.0.0, < 6.8.6fixed 6.8.6
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.