Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Protobuf.js compiles protobuf definitions into JavaScript functions. In prior to version 7.5.6 and 8.0.2, the generated message constructors copied enumerable properties from a supplied properties object without filtering the __proto__ key. If an application creates a message from an attacker‑controlled plain object that contains an own enumerable __proto__ property, the prototype of that individual message instance can be altered. The weakness is categorized as CWE‑1321.

Affected Systems

The vulnerability affects the protobuf.js library from the protobufjs vendor. All releases of protobuf.js earlier than 7.5.6 and 8.0.2 are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, so current exploitation prevalence is unclear. The likely attack vector is an application that constructs protobuf messages from untrusted data, which could be driven by a malicious user or compromised third‑party input. An attacker would need to control the payload passed to the constructor; no additional network exposure or privileged state is required beyond what the application already accepts.

Generated by OpenCVE AI on May 13, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update protobuf.js to version 7.5.6 or newer, or to 8.0.2 or newer. This patch removes the unfiltered copy of the __proto__ key from message constructors.
  • Implement input validation or sanitization so that any object passed to a message constructor is inspected and the __proto__ property is removed or rejected before construction. This mitigates the prototype injection risk if an application cannot immediately upgrade.
  • If upgrading is not possible, apply a local patch to the library that rewrites the generated message constructors to filter out the __proto__ key before assigning properties. This custom patch provides an interim measure until the official update is applied.

Generated by OpenCVE AI on May 13, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fx83-v9x8-x52w protobuf.js: Prototype injection in generated message constructors
History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Prototype injection in generated message constructors
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T14:01:31.297Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44292

cve-icon Vulnrichment

Updated: 2026-05-18T14:01:13.401Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:56.123

Modified: 2026-05-13T20:58:32.597

Link: CVE-2026-44292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses