CVE-2026-44291

Published: May 13th, 2026
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
HIGH
CVSS v3: 8.1

Status

DocFilters Release Package State Justification Comment
26.2 protobuf (3.0.0) Needs Triage
26.1 protobuf (3.0.0) Needs Triage
25.4 protobuf (3.0.0) Needs Triage
25.3 protobuf (3.0.0) Needs Triage
25.2 protobuf (3.0.0) Needs Triage
25.1 protobuf (3.0.0) Needs Triage
24.4 protobuf (3.0.0) Needs Triage
24.4.0 protobuf (3.0.0) Needs Triage
24.3 protobuf (3.0.0) Needs Triage
24.2 protobuf (3.0.0) Needs Triage
24.1 protobuf (3.0.0) Needs Triage
23.3 protobuf (3.0.0) Needs Triage
23.2 protobuf (3.0.0) Needs Triage
23.1 protobuf (3.0.0) Needs Triage
22.4 protobuf (3.0.0) Needs Triage
22.3 protobuf (3.0.0) Needs Triage
22.2 protobuf (3.0.0) Needs Triage
22.1 protobuf (3.0.0) Needs Triage
21.11 protobuf (3.0.0) Needs Triage
21.8 protobuf (3.0.0) Needs Triage
21.5.0 protobuf (3.0.0) Needs Triage
21.2.0 protobuf (3.0.0) Needs Triage
11.4.19.3667 protobuf (3.0.0) Needs Triage
11.4.18.3599 protobuf (3.0.0) Needs Triage
11.4.16.3445 protobuf (3.0.0) Needs Triage
11.4.15.3368 protobuf (3.0.0) Needs Triage
11.4.14.3263 protobuf (3.0.0) Needs Triage
11.4.13.3179 protobuf (3.0.0) Needs Triage
11.4.12.3054 protobuf (3.0.0) Needs Triage
11.4.11.3040 protobuf (3.0.0) Needs Triage
11.4.11.2990 protobuf (3.0.0) Needs Triage
11.4.10.2934 protobuf (3.0.0) Needs Triage
11.4.9.2878 protobuf (3.0.0) Needs Triage
11.4.8.2822 protobuf (3.0.0) Needs Triage

Severity score breakdown

Attack Complexity
HIGH
Attack Vector
NETWORK
Availability Impact
HIGH
Base Score
8.1
Base Severity
HIGH
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Privileges Required
NONE
Scope
UNCHANGED
User Interaction
NONE
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version
3.1

References