Prototype pollution in protobuf.js - #VU136899
Published: July 4, 2026
protobuf.js
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information or modify application behavior.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the text format string-keyed map parser when parsing attacker-supplied protobuf text-format input. A remote attacker can provide a crafted map entry with the key __proto__ to disclose sensitive information or modify application behavior.
Only the optional Text Format extension is affected. Exploitation requires a target schema with a string-keyed map field, and impact depends on downstream application logic treating inherited properties on the returned map object as meaningful.