CVE-2026-44294 MEDIUM

CVE-2026-44294: protobufjs: Denial of service from crafted field names in generated code

Vendor Protobufjs

Product protobuf.js

Weakness CWE-20 · Input validation

Published May 13, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44294

Related vulnerabilities

Identifiers

CVE CVE-2026-44294

CWE CWE-20

CVSS 5.3 / MEDIUM

Affected versions

Vendor Protobufjs

Product protobuf.js

Affected < 7.5.6

Vendor Protobufjs

Product protobuf.js

Affected >= 8.0.0, < 8.0.2

CVE-2026-44294: protobufjs: Denial of service from crafted field names in generated code

01Description

02Disclosure timeline

03References

04Related CVE