CVE-2026-44288

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2

Description protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths that accepts overlong UTF-8 byte sequences—sequences that use more bytes than necessary to represent a character—and decodes them to their canonical characters instead of replacing them. An attacker providing protobuf binary data decoded through this path may bypass application-level checks that inspect raw bytes before string decoding. For instance, bytes not containing specific ASCII characters could decode into strings that do contain them. The impact depends on how the downstream application validates and uses the decoded strings.

Recommendations Update to version 7.5.6. Update to version 8.0.2. Avoid relying solely on byte-level filtering before protobuf string decoding. Validate decoded strings at the point of use. Prefer runtime paths that utilize native UTF-8 decoding.