Description
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5** Patched version(s): **8.0.2 7.5.6**
References
Related Issues
- protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
- protobuf.js: Prototype injection in generated message constructors - CVE-2026-44292
- Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 14, 2026