Main Vulnerability Database Vulnerabilities #VU131162

Prototype pollution in protobuf.js - CVE-2026-44292

Published: May 12, 2026

Vulnerability identifier: #VU131162

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44292

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: protobuf.js

Affected software:
protobuf.js

Detailed vulnerability description

The vulnerability allows a remote attacker to modify the prototype chain of a message instance.

The vulnerability exists due to improperly controlled modification of object prototype attributes in generated message constructors when copying enumerable properties from an attacker-controlled plain object. A remote attacker can supply an object containing an own enumerable __proto__ property to modify the prototype chain of a message instance.

This is a per-instance prototype injection issue and does not affect Object.prototype or other global prototypes.

How to mitigate CVE-2026-44292

Install security update from vendor's website.

Sources

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w

Prototype pollution in protobuf.js - CVE-2026-44292

Detailed vulnerability description

How to mitigate CVE-2026-44292

Sources

Please verify you're human