CVE-2026-44291

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2

Description protobufjs uses plain objects with inherited prototypes for internal type lookup tables within generated encode and decode functions. If Object.prototype is polluted, these lookup tables may resolve attacker-controlled inherited properties as valid protobuf type information, potentially causing attacker-controlled strings to be emitted into generated JavaScript code. This can lead to arbitrary JavaScript execution if an attacker can first trigger a prototype pollution vulnerability. Prototype pollution is a technique where an attacker manipulates the prototype of a base object to inject properties that are inherited by other objects.

Recommendations Update to version 7.5.6. Update to version 8.0.2. Remove or mitigate reachable prototype pollution primitives and isolate schema or message processing from untrusted application state.