protobufjs CVE-2026-44294
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionGitHub Advisory
Summary
protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation.
Impact
An attacker who can provide or influence a protobuf schema or JSON descriptor may be able to make affected message types unusable by causing protobufjs runtime code generation to throw a syntax error.
This is a denial of service issue for applications that load untrusted schemas or descriptors. Applications that only use trusted, application-defined schemas are not directly affected by this issue.
The issue is not known to allow code execution by itself.
Preconditions
- The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.
- The crafted input must define a field name containing control characters that reach generated JavaScript property access.
- The application must perform an operation that triggers protobufjs code generation for the affected type, such as encode, decode, verify,
fromObject, ortoObject.
Workarounds
Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate field names before loading them and reject names containing control characters.
AnalysisAI
Denial of service in protobufjs allows remote attackers to crash runtime code generation by providing crafted protobuf schemas or JSON descriptors containing unescaped control characters in field names. When affected message types perform encode, decode, verify, or conversion operations, the generated JavaScript code fails to compile, rendering those types unusable. This affects applications that load untrusted schemas; those using only application-defined schemas are not impacted. No code execution is known to occur.
Technical ContextAI
protobufjs is a JavaScript implementation of Protocol Buffers that dynamically generates property accessor functions and message codec code at runtime from schema definitions. The vulnerability exists in the code generation phase where field and oneof names from schema input are embedded directly into JavaScript function bodies without proper escaping of control characters (such as newlines, tabs, or other non-printing characters defined in CWE-20: Improper Input Validation). When control characters are present in a field name, they break the syntax of the generated JavaScript code, causing a SyntaxError during the eval or Function constructor invocation that compiles the generated code. The vulnerability affects the runtime serialization/deserialization pipeline: any operation triggering code generation (encode, decode, verify, fromObject, toObject) will fail if a malicious schema has been loaded.
RemediationAI
Upgrade to protobufjs version 7.5.6 or later for the 7.x branch, or version 8.0.2 or later for the 8.x branch. These versions include input hardening and fix the control character escaping issue in generated code. Patched versions are available at https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2. If immediate patching is not possible and the application must load untrusted schemas, implement validation middleware before schema loading: reject any schema or JSON descriptor containing field or oneof names with control characters (newlines, tabs, carriage returns, form feeds, or other characters outside the printable ASCII range 0x20-0x7E). This validation must occur before passing the schema to protobufjs load(), loadSync(), or fromJSON() functions, and the rejection should return an error to the caller rather than attempting to sanitize the schema, since sanitization may create unintended behavior changes in legitimate field names.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2pr8-phx7-x9h3