CVE-2026-44291
protobufjs · protobuf.js
The protobuf.js library contains a code injection vulnerability when compiling protobuf definitions, potentially allowing attackers to execute arbitrary code.
Executive summary
A critical code injection vulnerability in protobuf.js allows attackers to execute arbitrary code, presenting a significant security risk to any application utilizing this library for serialization.
Vulnerability
This vulnerability is identified as CWE-94 (Code Injection). An unauthenticated attacker can exploit the way the library compiles protobuf definitions into JavaScript functions to achieve arbitrary code execution.
Business impact
With a CVSS score of 8.1, this vulnerability poses a serious threat to application security. Successful exploitation could lead to full application compromise, allowing an attacker to manipulate data, bypass security controls, or extract sensitive information processed by the library.
Remediation
Immediate Action: Update the npm package protobufjs to version 7.5.6 or 8.0.2, depending on the current branch in use.
Proactive Monitoring: Monitor applications using this library for unexpected behavior or unauthorized execution of JavaScript functions during the serialization/deserialization process.
Compensating Controls: If immediate patching is not feasible, restrict the library's ability to process untrusted or externally sourced protobuf definitions.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Security teams must prioritize updating the protobufjs dependency to the identified secure versions. Failure to patch this vulnerability leaves applications vulnerable to remote code execution, which could be leveraged to compromise the entire host environment.