SB2026051264 - Multiple vulnerabilities in protobuf.js



SB2026051264 - Multiple vulnerabilities in protobuf.js

Published: May 12, 2026

Security Bulletin ID SB2026051264
CSH Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Code Injection (CVE-ID: CVE-2026-44293)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in generated toObject code when processing an attacker-controlled protobuf descriptor with a non-string default value for a bytes field and converting a message with defaults enabled. A remote user can provide a crafted descriptor to execute arbitrary code.

Exploitation requires the application to load an attacker-controlled schema or descriptor and call toObject with defaults enabled for the affected type.


2) Prototype pollution (CVE-ID: CVE-2026-44292)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify the prototype chain of a message instance.

The vulnerability exists due to improperly controlled modification of object prototype attributes in generated message constructors when copying enumerable properties from an attacker-controlled plain object. A remote attacker can supply an object containing an own enumerable __proto__ property to modify the prototype chain of a message instance.

This is a per-instance prototype injection issue and does not affect Object.prototype or other global prototypes.


3) Input validation error (CVE-ID: CVE-2026-44294)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in generated JavaScript property accessors when processing an attacker-controlled protobuf schema or JSON descriptor. A remote attacker can provide a crafted schema or descriptor with control characters in field names to cause a denial of service.

Only applications that allow untrusted schemas or descriptors and trigger runtime code generation for affected message types are vulnerable.


4) Code Injection (CVE-ID: CVE-2026-44291)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper control of code generation in generated encode and decode functions when processing internal type lookup tables after Object.prototype has been polluted. A remote attacker can influence inherited properties used as protobuf type information to execute arbitrary JavaScript code.

Exploitation requires a separate prototype pollution primitive to pollute Object.prototype before the affected code generation path is reached.


5) Prototype pollution (CVE-ID: CVE-2026-44290)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper control of prototype-based property paths in protobufjs reflection APIs when parsing attacker-controlled protobuf schemas or JSON descriptors. A remote attacker can provide a specially crafted schema or descriptor to cause a denial of service.

Applications that only decode untrusted protobuf message payloads using bundled, generated, or otherwise trusted schemas are not directly affected.


6) Improper Handling of Unicode Encoding (CVE-ID: CVE-2026-44288)

CWE-ID: CWE-176 - Improper Handling of Unicode Encoding

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass application-level integrity checks.

The vulnerability exists due to improper handling of unicode encoding in the minimal UTF-8 decoder when decoding attacker-influenced protobuf binary data through the affected UTF-8 path. A remote attacker can provide specially crafted protobuf binary data to bypass application-level integrity checks.

The issue is exposed only when the affected protobuf string field is decoded through protobufjs's minimal UTF-8 decoder rather than a native UTF-8 decoder, and the application relies on byte-level filtering before protobuf string decoding in a security-sensitive context.


7) Uncontrolled Recursion (CVE-ID: CVE-2026-44289)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in the protobuf decoder when decoding nested protobuf binary data. A remote attacker can send a specially crafted protobuf binary payload to cause a denial of service.

This affects applications that decode untrusted protobuf binary input, including decoder paths that skip unknown group fields or decode nested message fields.


Remediation

Install update from vendor's website.