Skip to main content

protobufjs CVE-2026-44293

HIGH
Code Injection (CWE-94)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-66ff-xgx4-vchm
RCE Code Injection
7.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
7.7 (HIGH)
Source Code Evidence Fetched
May 12, 2026 - 16:01 vuln.today
Analysis Generated
May 12, 2026 - 16:01 vuln.today
CVE Published
May 12, 2026 - 15:06 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,132 npm packages depend on protobufjs (57 direct, 1,076 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionNVD

Summary

protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function.

Impact

An attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs.

This requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue.

Preconditions

  • The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema.
  • The descriptor must define a bytes field with an attacker-controlled default value.
  • The application must call toObject with defaults enabled for the affected type.

Workarounds

Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.

AnalysisAI

Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all applications and microservices using protobufjs via npm dependency audit and SCA tools; identify which services load untrusted or external protobuf schemas. Within 7 days: Upgrade protobufjs to version 7.5.6 (for 7.x users) or 8.0.2 (for 8.x users) across all production and staging environments; validate functionality in a non-production environment first. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-44293 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy