CVE-2026-44292

MEDIUM5.3EPSS 0.08%

protobuf.js: Prototype injection in generated message constructors

發布日:2026/5/12修改日:2026/5/14
也稱為:GHSA-fx83-v9x8-x52wCGA-px6f-wmh3-99xq

描述

## Summary protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the `__proto__` key. If an application constructed a message from an attacker-controlled plain object, an own enumerable `__proto__` property could alter the prototype of that individual message instance. ## Impact An attacker who can control the properties object passed to a generated protobufjs message constructor or creation helper may be able to modify the prototype chain of the resulting message instance. This is a per-instance prototype injection issue. It does not pollute `Object.prototype` or other global prototypes. The impact depends on downstream application behavior, such as relying on inherited properties, prototype methods, or `instanceof` checks for message objects. Applications that only decode binary protobuf data, or that construct messages from trusted application-defined objects, are not directly affected by this issue. ## Preconditions - The application must allow an attacker to control or influence a plain object used to construct a protobufjs message. - The object must contain an own enumerable `__proto__` property, for example from parsed JSON input. - The application must pass that object to a generated message constructor or creation helper that copies arbitrary enumerable properties. ## Workarounds Do not pass attacker-controlled plain objects directly to generated message constructors with affected versions. If untrusted JSON input must be accepted, validate or sanitize object keys before constructing messages, and reject `__proto__` properties.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

參考連結(5)