PT-2026-40540 · Npm · Protobufjs

Published

2026-05-12

·

Updated

2026-07-03

·

CVE-2026-44294

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2
Description protobufjs generates JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could cause generated encode, decode, verify, or conversion functions to fail during compilation, leading to a denial of service for applications that load untrusted schemas or descriptors by causing runtime code generation to throw a syntax error.
Recommendations Update to version 7.5.6. Update to version 8.0.2. Avoid loading protobuf schemas or JSON descriptors from untrusted sources. Validate field names before loading them and reject names containing control characters.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09112
CVE-2026-44294
GHSA-2PR8-PHX7-X9H3

Affected Products

Protobufjs