CVE-2026-44290 - Vulnerability Details

- protobufjs: Process-wide denial of service through unsafe option paths

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.

Published: 2026-05-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability occurs when protobufjs compiles protobuf definitions into JavaScript functions. Prior to version 7.5.6 and 8.0.2, option paths could traverse inherited properties, allowing crafted schemas or JSON descriptors to write to global JavaScript constructor properties. Writing to those properties corrupts process‑wide built‑in functionality and results in a denial of service. The weakness is categorized as CWE‑1321, which addresses insecure use of global objects.

Affected Systems

Affected vendors and products include protobufjs's protobuf.js library. The vulnerability exists in all releases prior to 7.5.6 and 8.0.2. Users employing older versions of this library are at risk.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. EPSS score is unavailable, so probability of exploitation cannot be quantified. The vulnerability is not listed in CISA KEV. Attackers with access to supply a malicious protobuf definition to an application that uses protobufjs can trigger the denial of service by altering global constructors. Exploitation requires the ability to load or compile a protobuf schema, which may be possible via network or local file, depending on application context.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

protobufjs

protobuf.js

affected

Version	Status	Constraints
`< 7.5.6`	affected	—
`>= 8.0.0, < 8.0.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*

No data.

Vendor Product Confidence Versions

Protobuf

87%

Version	Status	Scheme	Platform
`[0,7.5.6)`	affected	semver	—
`[8.0.0,8.0.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the protobufjs library to version 7.5.6 or newer, or 8.0.2 or newer.
Audit and restrict the loading of external protobuf schemas to trusted sources to limit potential exploitation while the upgrade is pending.
If an upgrade cannot be performed immediately, isolate schema compilation in a separate process or sandbox to prevent corruption of global constructors.

Generated by OpenCVE AI on May 13, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jvwf-75h9-cwgg	protobuf.js: Process-wide denial of service through unsafe option paths

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg

History

Thu, 14 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobuf Protobuf protobuf
Vendors & Products		Protobuf Protobuf protobuf

Thu, 14 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobufjs Project Protobufjs Project protobufjs
CPEs		cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*
Vendors & Products		Protobufjs Project Protobufjs Project protobufjs

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title		protobufjs: Process-wide denial of service through unsafe option paths
Weaknesses		CWE-1321
References		https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Protobuf Protobuf

Protobufjs Project Protobufjs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T14:41:15.312Z

Updated: 2026-05-14T13:45:12.701Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44290

Vulnrichment

Updated: 2026-05-14T13:45:07.436Z

NVD

Status : Analyzed

Published: 2026-05-13T16:16:55.847

Modified: 2026-05-14T12:23:20.007

Link: CVE-2026-44290

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses

CWE-1321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object