Skip to main content

protobufjs CVE-2026-44288

MEDIUM
Improper Handling of Unicode Encoding (CWE-176)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-q6x5-8v7m-xcrf
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 15:33 vuln.today
Analysis Generated
May 12, 2026 - 15:33 vuln.today
CVE Published
May 12, 2026 - 15:00 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @protobufjs/utf8 (1 direct, 0 indirect)
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 1.1.1 and other introduced versions.

DescriptionGitHub Advisory

Summary

protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.

The issue concerns overlong encodings and code points outside the Unicode range. protobufjs may still accept some non-strict UTF-8 input for compatibility, so applications should not rely on protobufjs as a general-purpose strict UTF-8 validator.

Impact

An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters.

The practical impact depends on downstream application validation and how decoded strings are used. Node.js Buffer-backed decoding paths are not directly affected when they use Node's native UTF-8 decoding.

Preconditions

  • The application must decode protobuf binary data influenced by an attacker.
  • The affected protobuf string field must be decoded through protobufjs's minimal UTF-8 decoder rather than a native UTF-8 decoder.
  • The application must rely on byte-level filtering or validation before protobuf string decoding.
  • The decoded string must then be used in a security-sensitive context.

Workarounds

Avoid relying only on byte-level filtering before protobuf string decoding with affected versions. Validate decoded strings at the point where they are used, and prefer runtime paths that use native UTF-8 decoding where necessary.

AnalysisAI

protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. Patch versions 7.5.6 and 8.0.2 are available; Node.js Buffer-backed paths are not directly affected.

Technical ContextAI

protobufjs is a JavaScript protocol buffer library that includes a minimal UTF-8 decoder for environments where native UTF-8 decoding is unavailable (e.g., browsers, non-Node runtimes). UTF-8 encoding standards require that code points be represented in their shortest form; overlong encodings use more bytes than necessary and are invalid per RFC 3629. The vulnerable decoder failed to reject these overlong sequences, instead canonicalizing them to their corresponding characters. This violates the UTF-8 specification (CWE-176: Improper Handling of Unusual Unicode Characters and Normalization) and creates a semantic gap: bytes inspected by application-level filters do not match the bytes used for UTF-8 decoding, enabling bypass attacks. The @protobufjs/utf8 package contains the shared UTF-8 implementation affected across both major versions.

RemediationAI

Upgrade protobufjs to version 7.5.6 (for the 7.x branch) or 8.0.2 (for the 8.x branch); upgrade @protobufjs/utf8 to version 1.1.1 if used as a standalone dependency. These versions fix the overlong UTF-8 decoding issue. For applications unable to immediately patch, implement validation at the point where decoded strings are used rather than relying exclusively on byte-level filtering before decoding. In browser and non-Node.js environments, prefer code paths that delegate UTF-8 decoding to platform-native implementations where possible (e.g., TextDecoder API in browsers). Review and update any byte-level filters that assume protobuf strings have been validated during decoding; move validation logic to occur after decoding for security-sensitive fields. See https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf for additional mitigation guidance.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

CVE-2026-44288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy