Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

protobuf.js converts protobuf definitions into JavaScript functions. Prior to versions 7.5.6 and 8.0.2 the library used plain objects with inherited prototypes for its internal lookup tables in generated encode and decode functions. If Object.prototype had been polluted, these lookup tables could treat attacker‑controlled inherited properties as valid protobuf type information, causing attacker‑controlled strings to be embedded directly into the generated JavaScript code. The vulnerability is a code‑generation gadget (CWE‑94) that can result in remote code execution if the produced code is executed in a privileged context.

Affected Systems

The affected product is protobuf.js from the protobufjs project. Versions prior to 7.5.6 and prior to 8.0.2 are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity. No EPSS data is available, and the vulnerability is not listed in CISA KEV. Exploitation requires that an attacker can supply a malicious protobuf definition or otherwise trigger the library’s compile routine while Object.prototype remains polluted. The likely attack vector is user‑supplied protocol descriptors completed in a runtime environment that evaluates the compiled code, resulting in arbitrary JavaScript execution. The risk is bounded to environments that compile untrusted schema definitions with older versions of protobuf.js.

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobuf.js to version 7.5.6 or 8.0.2 or later.
  • If upgrading is not immediately possible, ensure that the application does not compile proto definitions supplied by untrusted sources; validate all descriptors before compilation and disallow prototype pollution by clearing inherited properties from Object.prototype when initializing the environment.
  • When executing compiled code, run it in a sandboxed or isolated context (e.g., a VM or worker thread) to contain any potential code injection.

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-75px-5xx7-5xc7 protobuf.js: Code generation gadget after prototype pollution
History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Thu, 14 May 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Code generation gadget after prototype pollution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T15:32:06.425Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44291

cve-icon Vulnrichment

Updated: 2026-05-13T15:32:01.630Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:55.987

Modified: 2026-05-14T12:22:14.937

Link: CVE-2026-44291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses