CVE-2026-44293

protobufjs · protobuf.js

The protobuf.js library is vulnerable to code injection when compiling protobuf definitions into JavaScript functions, potentially allowing unauthorized code execution.

Executive summary

A code injection vulnerability in protobuf.js allows authenticated attackers to execute arbitrary JavaScript, posing a significant risk to application integrity.

Vulnerability

The vulnerability (CWE-94) involves improper control of code generation. An attacker with low privileges can leverage this flaw to inject malicious code during the compilation of protobuf definitions.

Business impact

Successful exploitation permits an attacker to execute arbitrary code within the context of the application, leading to potential data exfiltration or full system compromise. Given the CVSS score of 8.8, this vulnerability represents a high-severity risk that could severely impact business operations and the confidentiality of sensitive data managed by the affected application.

Remediation

Immediate Action: Update the protobufjs package to version 7.5.6 or 8.0.2 via your package manager (e.g., npm install protobufjs@latest).

Proactive Monitoring: Monitor application logs for unusual JavaScript execution patterns or unexpected calls to sensitive system functions originating from protobuf processing modules.

Compensating Controls: Implement strict Content Security Policies (CSP) and input validation to limit the scope of potential code injection attempts.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Organizations utilizing protobuf.js must prioritize upgrading to the patched versions immediately. Given the nature of code injection, leaving this vulnerability unpatched creates a direct pathway for unauthorized system access and should be addressed in the current sprint cycle.