Description
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
Published: 2026-04-15
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Remote Code Execution via prototype pollution
Action: Immediate Patch
AI Analysis

Impact

The protocol-buffers-schema library v3.6.0 is vulnerable to JavaScript prototype pollution. Exploitation allows an attacker to modify properties on Object.prototype, which can change application logic, bypass security checks, trigger denial‑of‑service conditions, or even lead to remote code execution depending on the target environment and how the parsed data is subsequently used.

Affected Systems

The affected product is Mafintosh’s protocol‑buffers‑schema parser, specifically version 3.6.0. Any application that depends on or loads this version is at risk.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting the current exploitation probability is unknown. The likely attack vector is remote, via an attacker supplying a crafted protocol buffer message to the vulnerable parser. Because prototype pollution can alter fundamental object behavior, the full impact can be significant if the application uses the corrupted objects for privileged operations. Additionally, the CVSS score is 6.5, indicating moderate severity.

Generated by OpenCVE AI on April 15, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of protocol-buffers-schema (post‑3.6.0) or apply the patch provided in version 3.6.1 or later.
  • If an upgrade is not immediately possible, isolate and hard‑enforce input validation so that only whitelisted, trusted protocol buffer definitions are parsed, preventing malicious data from reaching the vulnerable code.
  • Use package-lock.json or npm‑audit to detect and block the vulnerable dependency from being installed in new environments, and audit existing installations for the presence of version 3.6.0.

Generated by OpenCVE AI on April 15, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1174

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mafintosh
Mafintosh protocol-buffers-schema Parser
Vendors & Products Mafintosh
Mafintosh protocol-buffers-schema Parser

Wed, 15 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1174

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
Title Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution
References

Subscriptions

Mafintosh Protocol-buffers-schema Parser
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-15T18:55:45.526Z

Reserved: 2026-04-07T17:20:03.756Z

Link: CVE-2026-5758

cve-icon Vulnrichment

Updated: 2026-04-15T18:55:39.046Z

cve-icon NVD

Status : Received

Published: 2026-04-15T18:17:24.920

Modified: 2026-04-15T20:16:38.103

Link: CVE-2026-5758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses

No weakness.