GHSA-q6x5-8v7m-xcrf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q6x5-8v7m-xcrf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q6x5-8v7m-xcrf/GHSA-q6x5-8v7m-xcrf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q6x5-8v7m-xcrf
- Aliases
-
- CVE-2026-44288
- Downstream
- Related
- Published
- 2026-05-12T15:00:11Z
- Modified
- 2026-05-14T20:52:15.295159Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- protobufjs has overlong UTF-8 decoding
- Details
-
Summary
protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.
The issue concerns overlong encodings and code points outside the Unicode range. protobufjs may still accept some non-strict UTF-8 input for compatibility, so applications should not rely on protobufjs as a general-purpose strict UTF-8 validator.
Impact
An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters.
The practical impact depends on downstream application validation and how decoded strings are used. Node.js Buffer-backed decoding paths are not directly affected when they use Node's native UTF-8 decoding.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The affected protobuf string field must be decoded through protobufjs's minimal UTF-8 decoder rather than a native UTF-8 decoder.
- The application must rely on byte-level filtering or validation before protobuf string decoding.
- The decoded string must then be used in a security-sensitive context.
Workarounds
Avoid relying only on byte-level filtering before protobuf string decoding with affected versions. Validate decoded strings at the point where they are used, and prefer runtime paths that use native UTF-8 decoding where necessary.
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-176" ], "github_reviewed": true, "github_reviewed_at": "2026-05-12T15:00:11Z", "nvd_published_at": "2026-05-13T16:16:55Z" }- References
-
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf
- https://nvd.nist.gov/vuln/detail/CVE-2026-44288
- https://github.com/protobufjs/protobuf.js
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
Affected packages
npm / protobufjs
Package
- Name
- protobufjs
- View open source insights on deps.dev
- Purl
- pkg:npm/protobufjs
npm / protobufjs
Package
- Name
- protobufjs
- View open source insights on deps.dev
- Purl
- pkg:npm/protobufjs
npm / @protobufjs/utf8
Package
- Name
- @protobufjs/utf8
- View open source insights on deps.dev
- Purl
- pkg:npm/%40protobufjs/utf8