PT-2026-40536 · Npm · Protobufjs

Akiilex

+1

·

Published

2026-05-12

·

Updated

2026-06-09

·

CVE-2026-44290

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2
Description protobufjs allows certain schema option paths to traverse inherited object properties during option application. A crafted protobuf schema or JSON descriptor can cause option handling to write to properties on global JavaScript constructors, corrupting built-in process-wide functionality. This can lead to a persistent denial of service for the lifetime of the affected process. The issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources using reflection APIs such as parse(), Root.load(), Root.loadSync(), or Root.fromJSON(). Applications using bundled or trusted schemas to decode untrusted payloads are not directly affected.
Recommendations Update to version 7.5.6. Update to version 8.0.2. Avoid parsing or loading protobuf schemas or JSON descriptors from untrusted sources. Validate or reject option names containing unsafe property path components before loading them. Run schema processing in an isolated process.

Fix

DoS

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44290
GHSA-JVWF-75H9-CWGG

Affected Products

Protobufjs