CVE-2026-44292

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2

Description Message constructors generate JavaScript functions that copy enumerable properties from a provided properties object without filtering the proto key. If an application constructs a message from an attacker-controlled plain object, an own enumerable proto property can alter the prototype of that individual message instance. This per-instance prototype injection allows an attacker to modify the prototype chain of the resulting message instance, which may impact downstream application behavior relying on inherited properties, prototype methods, or instanceof checks. Applications that only decode binary protobuf data or use trusted objects are not affected.

Recommendations Update to version 7.5.6. Update to version 8.0.2. Validate or sanitize object keys to reject proto properties when accepting untrusted JSON input before constructing messages. Avoid passing attacker-controlled plain objects directly to generated message constructors.