protobuf.js: Process-wide denial of service through unsafe option paths

Severity:: High

Description

protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality.

Recommendation

Update the protobufjs package to the latest compatible version. Followings are version details:

Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5**
Patched version(s): **8.0.2 7.5.6**

References

GHSA-jvwf-75h9-cwgg
CVE-2026-44290
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

protobuf.js: Denial of service through unbounded protobuf recursion - CVE-2026-44289
protobuf.js: Denial of service from crafted field names in generated code - CVE-2026-44294
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - CVE-2026-45740
protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; protobufjs

Anything's wrong? Let us know Last updated on May 14, 2026