Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Protobuf.js compiles protocol buffer definitions into JavaScript functions. Prior to releases 7.5.6 and 8.0.2, the compiler inserted field and oneof names directly into generated code without escaping certain control characters. When a crafted schema or JSON descriptor contains these characters, the resulting JavaScript code fails to compile, causing encode, decode, verify, or conversion functions to throw errors during runtime. This failure manifests as a denial‑of‑service condition for any component that relies on the generated code. The weakness is a classic example of CWE‑20, input validation errors.

Affected Systems

The vulnerability affects the protobuf.js library distributed under the protobufjs:protobuf.js namespace. Any deployment that uses protobuf.js version prior to 7.5.6 or 8.0.2 and processes user‑supplied schema definitions is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is by supplying a crafted schema or JSON descriptor to a system that compiles protobuf definitions at runtime, which would trigger the compile failure and stop the service from functioning normally.

Generated by OpenCVE AI on May 13, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobuf.js to version 7.5.6 or newer, or 8.0.2 or newer, to apply the vendor‑supplied fix.
  • Validate or sanitize field and oneof names in incoming schemas, rejecting any control characters before calling the compiler.
  • Restrict or sandbox the compilation process so that untrusted schemas cannot execute arbitrary code in the host environment.

Generated by OpenCVE AI on May 13, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pr8-phx7-x9h3 protobuf.js: Denial of service from crafted field names in generated code
History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Denial of service from crafted field names in generated code
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:34:31.882Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44294

cve-icon Vulnrichment

Updated: 2026-05-13T18:34:28.072Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:56.380

Modified: 2026-05-13T20:55:23.860

Link: CVE-2026-44294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses