Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in protobuf.js allows an attacker to inject executable JavaScript code into a generated toObject conversion function. The injection originates from a schema‑controlled default value on a bytes field that is not a string. When an untrusted protobuf schema is compiled, the resulting JavaScript contains attacker‑controlled code, providing a direct avenue for arbitrary code execution in the environment that runs the conversion function.

Affected Systems

The vulnerability affects the protobuf.js library in versions prior to 7.5.6 and 8.0.2. Any application that relies on these older releases and compiles protobuf descriptors from untrusted sources is at risk.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. The EPSS score is not available, but the absence of data does not lower the risk; any system that processes untrusted descriptors exposes a code injection vector. The issue is not listed in the CISA KEV catalog, yet the direct code execution capability makes it a high‑priority problem. The likely attack vector is the delivery of a maliciously crafted protobuf descriptor that an application compiles with protobuf.js.

Generated by OpenCVE AI on May 13, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobuf.js to version 7.5.6 or newer, or 8.0.2 or newer.
  • Validate or reject protobuf descriptors that set non‑string defaults on bytes fields; enforce that bytes field defaults are string literals only.
  • If an upgrade cannot be performed immediately, run the generated conversion functions in a sandboxed or least‑privileged environment and monitor for suspicious code execution.

Generated by OpenCVE AI on May 13, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-66ff-xgx4-vchm protobuf.js: Code injection through bytes field defaults in generated toObject code
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Code injection through bytes field defaults in generated toObject code
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:59:42.554Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44293

cve-icon Vulnrichment

Updated: 2026-05-14T15:59:38.038Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:56.253

Modified: 2026-05-13T20:56:57.980

Link: CVE-2026-44293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses