Prototype Pollution in protobufjs JavaScript Library by Protobuf
CVE-2026-44292

5.3MEDIUM

Key Information:

Vendor: Protobufjs
Status: Protobuf.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44292?

The vulnerability in protobufjs allows an attacker to craft JavaScript objects that include an enumerable __proto__ property, which can manipulate the prototype of instances. This happens when the protobuf definitions are compiled into JavaScript functions before versions 7.5.6 and 8.0.2, potentially enabling an attacker to alter objects and introduce malicious behavior in applications. The issue has been addressed in the specified versions, reinforcing the importance of regular updates to maintain security.

Affected Version(s)

protobuf.js < 7.5.6 < 7.5.6

protobuf.js >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2

References

https://github.com/protobufjs/protobuf.js/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44292 Data

JSON

Protobufjs

What is CVE-2026-44292?

Affected Version(s)

References

CVSS V3.1

Timeline