GHSA-2pr8-phx7-x9h3

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pr8-phx7-x9h3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2pr8-phx7-x9h3/GHSA-2pr8-phx7-x9h3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pr8-phx7-x9h3
Aliases
  • CVE-2026-44294
Published
2026-05-12T15:06:17Z
Modified
2026-05-12T17:16:46.695035Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
protobuf.js: Denial of service from crafted field names in generated code
Details

Summary

protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation.

Impact

An attacker who can provide or influence a protobuf schema or JSON descriptor may be able to make affected message types unusable by causing protobufjs runtime code generation to throw a syntax error.

This is a denial of service issue for applications that load untrusted schemas or descriptors. Applications that only use trusted, application-defined schemas are not directly affected by this issue.

The issue is not known to allow code execution by itself.

Preconditions

  • The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.
  • The crafted input must define a field name containing control characters that reach generated JavaScript property access.
  • The application must perform an operation that triggers protobufjs code generation for the affected type, such as encode, decode, verify, fromObject, or toObject.

Workarounds

Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate field names before loading them and reject names containing control characters.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:06:17Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / protobufjs

Package

Name
protobufjs
View open source insights on deps.dev
Purl
pkg:npm/protobufjs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.5.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2pr8-phx7-x9h3/GHSA-2pr8-phx7-x9h3.json"
last_known_affected_version_range 
"<= 7.5.5"

npm / protobufjs

Package

Name
protobufjs
View open source insights on deps.dev
Purl
pkg:npm/protobufjs

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0
Fixed
8.0.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2pr8-phx7-x9h3/GHSA-2pr8-phx7-x9h3.json"
last_known_affected_version_range 
"<= 8.0.1"