JavaScript Injection Vulnerability in Protobuf.js Versions 8.2.0 to 8.6.5
CVE-2026-59876
4.8MEDIUM
What is CVE-2026-59876?
A vulnerability in the Protobuf.js Text Format extension allows the parsing of string-keyed map entries using ordinary property assignment. This vulnerability occurs in versions ranging from 8.2.0 to 8.6.5, enabling a map entry with the key 'proto' to unintentionally alter the prototype of the returned map object. Consequently, such prototype manipulation could lead to unexpected behavior or potential security issues within applications using affected versions. The issue has been successfully addressed in Protobuf.js version 8.6.5.
Affected Version(s)
protobuf.js >= 8.2.0, < 8.6.5
