CVE-2026-44292

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*

History

13 May 2026, 20:58

Type	Values Removed	Values Added
First Time		Protobufjs Project protobufjs Protobufjs Project
CPE		cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*
References	~~() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w -~~	() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w - Vendor Advisory, Mitigation

13 May 2026, 17:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 16:16

Updated : 2026-05-13 20:58

NVD link : CVE-2026-44292

Mitre link : CVE-2026-44292

CVE.ORG link : CVE-2026-44292

JSON object : View

Products Affected

protobufjs_project

protobufjs

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

5.3 /10