CVE-2026-44292 MEDIUM

CVE-2026-44292: protobufjs: Prototype injection in generated message constructors

Vendor Protobufjs
Product protobuf.js
Weakness CWE-1321
Published May 13, 2026
Last update May 18, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 18, 2026 Record updated