Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the minimal UTF‑8 decoder bundled with protobuf.js. It accepts overlong byte sequences and maps them to their canonical Unicode characters instead of rejecting them. An attacker who can supply protobuf binary data can therefore cause bytes that lack certain ASCII characteristics to be decoded into strings containing those bytes, effectively bypassing application‑level checks that examine raw bytes prior to protobuf decoding.

Affected Systems

This issue affects the open‑source JavaScript library protobuf.js. All releases before 7.5.6 and before 8.0.2 are impacted. Applications that rely on earlier versions and process untrusted protobuf messages are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the EPSS score is currently unavailable. The vulnerability is not listed in CISA’s KEV catalog, suggesting no public exploitation yet. Exploitation requires an attacker able to supply crafted protobuf data to a vulnerable application. Such data could enable logical bypasses of validation but does not grant arbitrary code execution or direct system access. Nonetheless, the potential to bypass checks warrants timely remediation.

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the protobuf.js library to version 7.5.6, 8.0.2, or later to apply the fixed UTF‑8 decoder.
  • Implement inbound validation of protobuf data to reject overlong UTF‑8 sequences before handing them to the decoder, if possible.
  • Consider replacing protobuf.js with an alternative implementation that enforces strict UTF‑8 compliance, or patch the library to add stricter validation.

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6x5-8v7m-xcrf protobufjs has overlong UTF-8 decoding
History

Tue, 19 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Overlong UTF-8 decoding
Weaknesses CWE-176
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:33:51.296Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44288

cve-icon Vulnrichment

Updated: 2026-05-13T18:33:46.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:55.587

Modified: 2026-05-19T20:46:53.323

Link: CVE-2026-44288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses