CVE-2026-44291

Description

## Summary protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. ## Impact An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution. This issue requires a separate prototype pollution primitive before protobufjs is invoked. Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone. ## Preconditions - The application or one of its dependencies must allow an attacker to pollute `Object.prototype`. - The polluted property must affect protobufjs internal type lookup behavior. - The application must use protobufjs functionality that generates encode or decode code for affected types. - The generated code path must be reached after the prototype pollution has occurred. ## Workarounds Avoid running affected versions in applications where attacker-controlled input can pollute `Object.prototype`. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.

Affected packages (1)

• npm/protobufjsfrom 0, < 7.5.6

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44291
• PATCHhttps://github.com/protobufjs/protobuf.js
• WEBhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
• WEBhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
• WEBhttps://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7