Skip to main content

protobufjs CVE-2026-44293

HIGH
Code Injection (CWE-94)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-66ff-xgx4-vchm
7.7
CVSS 4.0 · Vendor: https://github.com/protobufjs/protobuf.js
Share

Severity by source

Vendor (https://github.com/protobufjs/protobuf.js) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).

CVSS VectorVendor: https://github.com/protobufjs/protobuf.js

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
7.7 (HIGH)
Source Code Evidence Fetched
May 12, 2026 - 16:01 vuln.today
Analysis Generated
May 12, 2026 - 16:01 vuln.today
CVE Published
May 12, 2026 - 15:06 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Summary

protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function.

Impact

An attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs.

This requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue.

Preconditions

  • The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema.
  • The descriptor must define a bytes field with an attacker-controlled default value.
  • The application must call toObject with defaults enabled for the affected type.

Workarounds

Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.

AnalysisAI

Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. Vendor-released patches are available in versions 7.5.6 and 8.0.2. No public exploit code identified at time of analysis, though the vulnerability is straightforward to weaponize given the clear preconditions in the advisory.

Technical ContextAI

This is a code injection vulnerability (CWE-94) in protobufjs, the popular JavaScript implementation of Protocol Buffers for Node.js and browsers. The flaw exists in the code generation logic for toObject() conversion functions. When protobufjs processes a protobuf schema (JSON descriptor or reflected schema), it generates JavaScript code to convert message instances to plain objects. The vulnerability occurs because the generator does not properly sanitize default values for bytes fields before embedding them in the generated code. Instead of treating the default value as data, the generator treats non-string values as executable expressions. An attacker who controls the schema can inject arbitrary JavaScript expressions into the bytes field default value, which are then emitted verbatim into the generated toObject function and executed when that function is called. This affects both major version lines: the 7.x series (≤7.5.5) and the newer 8.x series (≤8.0.1), indicating the flaw was carried forward during the major version transition.

RemediationAI

Upgrade to patched versions immediately if your application loads untrusted protobuf schemas. For the 7.x branch, upgrade to version 7.5.6 or later (release notes: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6). For the 8.x branch, upgrade to version 8.0.2 or later (release notes: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2). If immediate patching is not feasible, implement strict schema validation: only load protobuf schemas from trusted, application-controlled sources, and never accept user-supplied or external schemas without rigorous validation. As a defense-in-depth measure, run schema processing in an isolated sandbox or separate process with minimal privileges to contain potential code execution. Validate or strip field default values from external descriptors before loading them into protobufjs. If your application only uses compile-time or hardcoded schemas and never loads dynamic descriptors, you are not affected and upgrading is lower priority, though still recommended for long-term maintainability. Review application architecture to identify any code paths where external schemas could be introduced, including API integrations with schema registries or developer tooling that might process untrusted .proto files.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 12 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Affected
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Affected

Share

CVE-2026-44293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy