Main Vulnerability Database Vulnerabilities #VU131164

Code Injection in protobuf.js - CVE-2026-44291

Published: May 12, 2026

Vulnerability identifier: #VU131164

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-44291

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: protobuf.js

Affected software:
protobuf.js

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper control of code generation in generated encode and decode functions when processing internal type lookup tables after Object.prototype has been polluted. A remote attacker can influence inherited properties used as protobuf type information to execute arbitrary JavaScript code.

Exploitation requires a separate prototype pollution primitive to pollute Object.prototype before the affected code generation path is reached.

How to mitigate CVE-2026-44291

Install security update from vendor's website.

Sources

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7

Code Injection in protobuf.js - CVE-2026-44291

Detailed vulnerability description

How to mitigate CVE-2026-44291

Sources

Please verify you're human