protobuf.js: Code injection through bytes field defaults in generated toObject code

Description

protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function.

Recommendation

Update the protobufjs package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0, <= 8.0.1

  <= 7.5.5**

• Patched version(s): **8.0.2

  7.5.6**

References

• GHSA-66ff-xgx4-vchm
• CVE-2026-44293
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• protobuf.js: Denial of service from crafted field names in generated code - CVE-2026-44294
• protobuf.js: Prototype injection in generated message constructors - CVE-2026-44292
• protobuf.js: Code injection in pbjs static output from crafted schema names - CVE-2026-44295
• protobuf.js: Code generation gadget after prototype pollution - CVE-2026-44291

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

protobufjs