Description
protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.
The issue concerns overlong encodings and code points outside the Unicode range.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5** Patched version(s): **8.0.2 7.5.6**
References
Related Issues
- protobufjs has overlong UTF-8 decoding - @protobufjs/utf8 - CVE-2026-44288
- Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability - CVE-2026-44211
- @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading - CVE-2026-41640
- i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 14, 2026