protobuf.js: Denial of service from crafted field names in generated code

Severity:: Medium

Description

protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies.

Recommendation

Update the protobufjs package to the latest compatible version. Followings are version details:

Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5**
Patched version(s): **8.0.2 7.5.6**

References

GHSA-2pr8-phx7-x9h3
CVE-2026-44294
CWE-20
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
protobuf.js: Process-wide denial of service through unsafe option paths - CVE-2026-44290
protobuf.js: Denial of service through unbounded protobuf recursion - CVE-2026-44289
protobuf.js: Code injection in pbjs static output from crafted schema names - CVE-2026-44295

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; protobufjs

Anything's wrong? Let us know Last updated on May 14, 2026