Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities by protobufjs_project
CVE-2026-44295 (GCVE-0-2026-44295)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:50 – Updated: 2026-05-13 18:20
VLAI
Title
protobufjs-cli: Code injection in pbjs static output from crafted schema names
Summary
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
>= 2.0.0, < 2.0.2
Affected: < 1.2.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:13:59.763256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:20:05.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.2"
},
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:50:39.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9"
}
],
"source": {
"advisory": "GHSA-6r35-46g8-jcw9",
"discovery": "UNKNOWN"
},
"title": "protobufjs-cli: Code injection in pbjs static output from crafted schema names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44295",
"datePublished": "2026-05-13T14:50:39.216Z",
"dateReserved": "2026-05-05T17:39:31.113Z",
"dateUpdated": "2026-05-13T18:20:05.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42290 (GCVE-0-2026-42290)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:49 – Updated: 2026-05-18 13:54
VLAI
Title
protobufjs-cli: OS Command Injection
Summary
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
>= 2.0.0, < 2.0.2
Affected: < 1.2.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T13:52:37.731634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T13:54:57.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.2"
},
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:49:30.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj"
}
],
"source": {
"advisory": "GHSA-f84p-cvgm-xgjj",
"discovery": "UNKNOWN"
},
"title": "protobufjs-cli: OS Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42290",
"datePublished": "2026-05-13T14:49:30.030Z",
"dateReserved": "2026-04-26T12:13:55.551Z",
"dateUpdated": "2026-05-18T13:54:57.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45740 (GCVE-0-2026-45740)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:46 – Updated: 2026-05-13 18:20
VLAI
Title
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.8
Affected: >= 8.0.0, < 8.2.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:14:53.041286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:20:12.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.8"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:46:02.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6"
}
],
"source": {
"advisory": "GHSA-jggg-4jg4-v7c6",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45740",
"datePublished": "2026-05-13T14:46:02.689Z",
"dateReserved": "2026-05-13T06:54:34.219Z",
"dateUpdated": "2026-05-13T18:20:12.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44294 (GCVE-0-2026-44294)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:44 – Updated: 2026-05-13 18:34
VLAI
Title
protobufjs: Denial of service from crafted field names in generated code
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:34:24.114908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:34:31.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:44:30.474Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3"
}
],
"source": {
"advisory": "GHSA-2pr8-phx7-x9h3",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Denial of service from crafted field names in generated code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44294",
"datePublished": "2026-05-13T14:44:30.474Z",
"dateReserved": "2026-05-05T17:39:31.113Z",
"dateUpdated": "2026-05-13T18:34:31.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44293 (GCVE-0-2026-44293)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:43 – Updated: 2026-05-14 15:59
VLAI
Title
protobufjs: Code injection through bytes field defaults in generated toObject code
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:59:34.901278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:59:42.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:43:33.342Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm"
}
],
"source": {
"advisory": "GHSA-66ff-xgx4-vchm",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Code injection through bytes field defaults in generated toObject code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44293",
"datePublished": "2026-05-13T14:43:33.342Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-14T15:59:42.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44292 (GCVE-0-2026-44292)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:42 – Updated: 2026-05-18 14:01
VLAI
Title
protobufjs: Prototype injection in generated message constructors
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T13:59:48.572838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:01:31.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:42:55.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w"
}
],
"source": {
"advisory": "GHSA-fx83-v9x8-x52w",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Prototype injection in generated message constructors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44292",
"datePublished": "2026-05-13T14:42:55.155Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-18T14:01:31.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44291 (GCVE-0-2026-44291)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:42 – Updated: 2026-05-13 15:32
VLAI
Title
protobufjs: Code generation gadget after prototype pollution
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:31:57.317244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:32:06.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:42:13.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7"
}
],
"source": {
"advisory": "GHSA-75px-5xx7-5xc7",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Code generation gadget after prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44291",
"datePublished": "2026-05-13T14:42:13.984Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-13T15:32:06.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44290 (GCVE-0-2026-44290)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:41 – Updated: 2026-05-14 13:45
VLAI
Title
protobufjs: Process-wide denial of service through unsafe option paths
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:44:00.767979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:45:12.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:41:15.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg"
}
],
"source": {
"advisory": "GHSA-jvwf-75h9-cwgg",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Process-wide denial of service through unsafe option paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44290",
"datePublished": "2026-05-13T14:41:15.312Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-14T13:45:12.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44289 (GCVE-0-2026-44289)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:39 – Updated: 2026-05-13 18:20
VLAI
Title
protobufjs: Denial of service through unbounded protobuf recursion
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:15:09.461702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:20:18.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:39:09.791Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-685m-2w69-288q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-685m-2w69-288q"
}
],
"source": {
"advisory": "GHSA-685m-2w69-288q",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Denial of service through unbounded protobuf recursion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44289",
"datePublished": "2026-05-13T14:39:09.791Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-13T18:20:18.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44288 (GCVE-0-2026-44288)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:37 – Updated: 2026-05-13 18:33
VLAI
Title
protobufjs: Overlong UTF-8 decoding
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-176 - Improper Handling of Unicode Encoding
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.6
Affected: >= 8.0.0, < 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:33:40.802819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:33:51.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176: Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:37:26.624Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf"
}
],
"source": {
"advisory": "GHSA-q6x5-8v7m-xcrf",
"discovery": "UNKNOWN"
},
"title": "protobufjs: Overlong UTF-8 decoding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44288",
"datePublished": "2026-05-13T14:37:26.624Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-13T18:33:51.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41242 (GCVE-0-2026-41242)
Vulnerability from cvelistv5 – Published: 2026-04-18 16:18 – Updated: 2026-04-20 16:03
VLAI
Title
protobufjs has an arbitrary code execution issue
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/protobufjs/protobuf.js/securit… | x_refsource_CONFIRM |
| https://github.com/protobufjs/protobuf.js/commit/… | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/commit/… | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/release… | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| protobufjs | protobuf.js |
Affected:
< 7.5.5
Affected: >= 8.0.0-experimental, < 8.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41242",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:03:39.054181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:03:57.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf.js",
"vendor": "protobufjs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.5"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-experimental, \u003c 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T16:18:10.652Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"
},
{
"name": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"
},
{
"name": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"
},
{
"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"
},
{
"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"
}
],
"source": {
"advisory": "GHSA-xq3m-2v4x-88gg",
"discovery": "UNKNOWN"
},
"title": "protobufjs has an arbitrary code execution issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41242",
"datePublished": "2026-04-18T16:18:10.652Z",
"dateReserved": "2026-04-18T03:47:03.135Z",
"dateUpdated": "2026-04-20T16:03:57.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36665 (GCVE-0-2023-36665)
Vulnerability from cvelistv5 – Published: 2023-07-05 00:00 – Updated: 2024-08-02 16:52
VLAI
Summary
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
6 references
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T15:11:08.399447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T15:11:31.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:54.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/pull/1899"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240628-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T18:05:58.043Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"
},
{
"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"
},
{
"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"
},
{
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"
},
{
"url": "https://github.com/protobufjs/protobuf.js/pull/1899"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240628-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36665",
"datePublished": "2023-07-05T00:00:00.000Z",
"dateReserved": "2023-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-02T16:52:54.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25878 (GCVE-0-2022-25878)
Vulnerability from cvelistv5 – Published: 2022-05-27 20:00 – Updated: 2024-09-17 02:36
VLAI
Title
Prototype Pollution
Summary
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
Severity
CWE
- Prototype Pollution
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507 | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/blob/d1… | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/commit/… | x_refsource_MISC |
| https://github.com/protobufjs/protobuf.js/pull/1731 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | protobufjs |
Affected:
unspecified , < 6.11.3
(custom)
|
Date Public
2022-05-27 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/protobufjs/protobuf.js/pull/1731"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "protobufjs",
"vendor": "n/a",
"versions": [
{
"lessThan": "6.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera from Snyk"
}
],
"datePublic": "2022-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-27T20:00:15.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/protobufjs/protobuf.js/pull/1731"
}
],
"title": "Prototype Pollution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-05-27T20:00:01.523115Z",
"ID": "CVE-2022-25878",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "protobufjs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.11.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera from Snyk"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507"
},
{
"name": "https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197",
"refsource": "MISC",
"url": "https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197"
},
{
"name": "https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f",
"refsource": "MISC",
"url": "https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f"
},
{
"name": "https://github.com/protobufjs/protobuf.js/pull/1731",
"refsource": "MISC",
"url": "https://github.com/protobufjs/protobuf.js/pull/1731"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25878",
"datePublished": "2022-05-27T20:00:15.716Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:36:03.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3738 (GCVE-0-2018-3738)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 23:46
VLAI
Summary
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.
Severity
No CVSS data available.
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling (CWE-770)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/319576 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | protobufjs node module |
Affected:
Versions up to and including 6.8.5
|
Date Public
2018-04-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/319576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "protobufjs node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions up to and including 6.8.5"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling (CWE-770)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/319576"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3738",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "protobufjs node module",
"version": {
"version_data": [
{
"version_value": "Versions up to and including 6.8.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Allocation of Resources Without Limits or Throttling (CWE-770)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/319576",
"refsource": "MISC",
"url": "https://hackerone.com/reports/319576"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3738",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:56.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}