GHSA-75px-5xx7-5xc7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-75px-5xx7-5xc7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-75px-5xx7-5xc7/GHSA-75px-5xx7-5xc7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-75px-5xx7-5xc7
- Aliases
-
- CVE-2026-44291
- Downstream
- Related
- Published
- 2026-05-12T15:01:24Z
- Modified
- 2026-05-14T20:50:09.477265Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- protobuf.js: Code generation gadget after prototype pollution
- Details
-
Summary
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If
Object.prototypehad already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.This could cause attacker-controlled strings to be emitted into generated JavaScript code.
Impact
An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.
This issue requires a separate prototype pollution primitive before protobufjs is invoked.
Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.
Preconditions
- The application or one of its dependencies must allow an attacker to pollute
Object.prototype. - The polluted property must affect protobufjs internal type lookup behavior.
- The application must use protobufjs functionality that generates encode or decode code for affected types.
- The generated code path must be reached after the prototype pollution has occurred.
Workarounds
Avoid running affected versions in applications where attacker-controlled input can pollute
Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state. - The application or one of its dependencies must allow an attacker to pollute
- Database specific
{ "cwe_ids": [ "CWE-1321", "CWE-94" ], "nvd_published_at": "2026-05-13T16:16:55Z", "severity": "HIGH", "github_reviewed_at": "2026-05-12T15:01:24Z", "github_reviewed": true }- References
-
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7
- https://nvd.nist.gov/vuln/detail/CVE-2026-44291
- https://github.com/protobufjs/protobuf.js
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
Affected packages
npm / protobufjs
Package
- Name
- protobufjs
- View open source insights on deps.dev
- Purl
- pkg:npm/protobufjs
npm / protobufjs
Package
- Name
- protobufjs
- View open source insights on deps.dev
- Purl
- pkg:npm/protobufjs