Prototype Manipulation in Protobuf.js Versions Prior to 7.5.6 and 8.0.2
CVE-2026-44290

7.5HIGH

Key Information:

Vendor: Protobufjs
Status: Protobuf.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44290?

Prior to releases 7.5.6 and 8.0.2, Protobuf.js had a significant issue where it permitted certain schema option paths to leverage inherited object properties while managing options. An attacker could exploit this by crafting a malicious protobuf schema or JSON descriptor, potentially allowing option handling to write to properties in global JavaScript constructors. This could corrupt essential built-in functionalities across the process. The vulnerability has been effectively addressed in versions 7.5.6 and 8.0.2.

Affected Version(s)

protobuf.js < 7.5.6 < 7.5.6

protobuf.js >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2

References

https://github.com/protobufjs/protobuf.js/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44290 Data

JSON

Protobufjs

What is CVE-2026-44290?

Affected Version(s)

References

CVSS V3.1

Timeline