Description
protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5** Patched version(s): **8.0.2 7.5.6**
References
Related Issues
- protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
- protobuf.js: Denial of service from crafted field names in generated code - CVE-2026-44294
- protobuf.js: Code generation gadget after prototype pollution - CVE-2026-44291
- Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 14, 2026