Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

protobufjs compiles protobuf definitions into JavaScript functions. Versions prior to 8.6.0 and 7.6.3 accepted certain schema‑derived names that could collide with properties used by the protobufjs runtime helper modules. These collisions allowed the library to treat data from the message schema as internal helpers during decoding, verification, conversion, JSON serialization, or RPC invocation. As a result, deterministic exceptions were raised or unbounded recursive calls occurred, leading to application crashes or unresponsive services. The weakness is reflected in CWE‑606 (Missing Input Validation), CWE‑674 (Uncontrolled Recursion), and CWE‑754.

Affected Systems

The vulnerability affects any software that imports the protobufjs library and uses protobuf definitions that include fields named hasOwnProperty, field, oneof names such as $type, or service methods whose generated helper name is rpcCall. Project codebases that compile messages or services with these names and run on older protobufjs releases (any version earlier than 8.6.0 or 7.6.3) are susceptible. No additional proprietary products are listed beyond the protobuf.js library.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to provide or manipulate a protobuf schema definition that the application processes at runtime. If the application accepts untrusted or dynamically loaded schemas, the attacker could trigger the crash or denial‑of‑service condition, impacting availability of the affected service.

Generated by OpenCVE AI on June 29, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobufjs to version 8.6.0 or newer, or at least to 7.6.3.
  • If an immediate upgrade is impractical schema definitions containing field names hasOwnProperty, field, $type, or service method names rpcCall before processing them.
  • Restrict the use of dynamic runtime schema loading; prefer statically compiled schemas or load only from trusted sources to eliminate the vector that could exploit this weakness.

Generated by OpenCVE AI on June 29, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f38q-mgvj-vph7 protobufjs : Schema-derived names can shadow runtime-significant properties
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

threat_severity

Low


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.
Title protobufjs: Schema-derived names can shadow runtime-significant properties
Weaknesses CWE-674
CWE-754
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Protobuf Protobuf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:09:36.165Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54269

cve-icon Vulnrichment

Updated: 2026-06-23T16:07:08.694Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T16:23:24Z

Links: CVE-2026-54269 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T15:00:13Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-674

    Uncontrolled Recursion

  • CWE-754

    Improper Check for Unusual or Exceptional Conditions