CVE-2026-44293

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2

Description JavaScript generated for toObject conversion may include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor containing a non-string default value for a bytes field can lead to the emission of attacker-controlled code into the generated conversion function. This allows an attacker who can influence a protobuf descriptor to execute arbitrary JavaScript within the process context, provided the application loads an untrusted schema and converts a message of the affected type with defaults enabled.

Recommendations Update to version 7.5.6. Update to version 8.0.2. Avoid loading protobuf schemas or JSON descriptors from untrusted sources. Validate or restrict field options before loading untrusted schemas and execute schema processing in an isolated environment.