PT-2026-40540 · Npm · Protobufjs
Published
2026-05-12
·
Updated
2026-07-03
·
CVE-2026-44294
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
protobufjs versions prior to 7.5.6
protobufjs versions prior to 8.0.2
Description
protobufjs generates JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could cause generated encode, decode, verify, or conversion functions to fail during compilation, leading to a denial of service for applications that load untrusted schemas or descriptors by causing runtime code generation to throw a syntax error.
Recommendations
Update to version 7.5.6.
Update to version 8.0.2.
Avoid loading protobuf schemas or JSON descriptors from untrusted sources.
Validate field names before loading them and reject names containing control characters.
Exploit
Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Protobufjs