Description
protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.
The issue concerns overlong encodings and code points outside the Unicode range.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5** Patched version(s): **8.0.2 7.5.6**
References
Related Issues
- protobufjs has overlong UTF-8 decoding - @protobufjs/utf8 - CVE-2026-44288
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- music-metadata has an infinite loop vulnerability in ASF parser - CVE-2026-32256
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 14, 2026