protobuf.js Vulnerabilities Allow Unauthenticated Arbitrary Code Execution

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the protobufjs library, which is used for generating JavaScript code from Protocol Buffers (protobuf) schema definitions. The affected versions include protobufjs-cli-v1.2.1, protobufjs-cli-v2.0.2, protobufjs-v7.5.6, and protobufjs-v8.0.2. These vulnerabilities can be exploited to cause code injection, arbitrary code execution, and denial of service. The vulnerabilities can be exploited when an attacker can provide or influence protobuf schemas or JSON descriptors. This can include cases where an application loads or parses protobuf schemas from untrusted sources. The attacker can craft a schema or descriptor that contains malicious option paths or default values, which can then be used to inject malicious code or cause a denial of service.[emaillocker id="1283"]

• CVE-2026-44295 with a CVSS score of 9.0 – This vulnerability allows an attacker to inject malicious code into generated JavaScript files through crafted schema names. The attacker can provide or influence schemas passed to pbjs, which can then be used to inject malicious code into the generated JavaScript output. This can result in arbitrary code execution and data breaches.
• CVE-2026-44293 with a CVSS score of 8.3 – This vulnerability allows an attacker to inject malicious code into generated JavaScript files through crafted bytes field default values. The attacker can provide or influence protobuf descriptors, which can then be used to inject malicious code into the generated conversion function. This can result in arbitrary code execution and data breaches.
• CVE-2026-44291 with a CVSS score of 7.5 – This vulnerability allows an attacker to influence generated protobufjs encode or decode functions through crafted prototype pollution. The attacker can first trigger a prototype pollution vulnerability and then influence the generated functions to lead to arbitrary JavaScript execution. This can result in data breaches and disruption of business operations.
• CVE-2026-44290 with a CVSS score of 6.5 – This vulnerability allows an attacker to corrupt built-in process state through crafted protobuf schema or JSON descriptor option paths. The attacker can provide or influence protobuf schemas or JSON descriptors, which can then be used to corrupt built-in process state and cause a denial of service.

The use of untrusted protobuf schemas or JSON descriptors to decode untrusted protobuf messages can lead to exploitation of these vulnerabilities. Applications that use bundled, generated, or otherwise trusted schemas are not directly affected. However, if an attacker can influence or control the schema or descriptor used by the application, they can exploit these vulnerabilities to gain unauthorized access to sensitive data or disrupt business operations.

RECOMMENDATION:

• We recommend you to update protobuf.js to version v7.5.6 or 8.0.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-6r35-46g8-jcw9
https://github.com/advisories/GHSA-66ff-xgx4-vchm
https://github.com/advisories/GHSA-75px-5xx7-5xc7
https://github.com/advisories/GHSA-jvwf-75h9-cwgg