PT-2026-40536 · Npm · Protobufjs
Akiilex
+1
·
Published
2026-05-12
·
Updated
2026-06-09
·
CVE-2026-44290
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
protobufjs versions prior to 7.5.6
protobufjs versions prior to 8.0.2
Description
protobufjs allows certain schema option paths to traverse inherited object properties during option application. A crafted protobuf schema or JSON descriptor can cause option handling to write to properties on global JavaScript constructors, corrupting built-in process-wide functionality. This can lead to a persistent denial of service for the lifetime of the affected process. The issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources using reflection APIs such as
parse(), Root.load(), Root.loadSync(), or Root.fromJSON(). Applications using bundled or trusted schemas to decode untrusted payloads are not directly affected.Recommendations
Update to version 7.5.6.
Update to version 8.0.2.
Avoid parsing or loading protobuf schemas or JSON descriptors from untrusted sources.
Validate or reject option names containing unsafe property path components before loading them.
Run schema processing in an isolated process.
Fix
DoS
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Protobufjs