JavaScript Function Accessor Vulnerability in Protobufjs by Protobuf
CVE-2026-44294

5.3MEDIUM

Key Information:

Vendor: Protobufjs
Status: Protobuf.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44294?

The protobufjs library, used for compiling protocol buffer definitions into JavaScript functions, is susceptible to an issue where certain control characters in field names are not escaped properly. Before versions 7.5.6 and 8.0.2, this flaw allows an attacker to exploit crafted schemas or JSON descriptors, leading to failures in generated encode, decode, verify, or conversion functions during compilation. It is advisable to upgrade to the patched versions to secure the application.

Affected Version(s)

protobuf.js < 7.5.6 < 7.5.6

protobuf.js >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2

References

https://github.com/protobufjs/protobuf.js/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44294 Data

JSON