Description
protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.
The issue concerns overlong encodings and code points outside the Unicode range.
Recommendation
Update the @protobufjs/utf8 package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.1.0
- Patched version(s): 1.1.1
References
Related Issues
- protobufjs has overlong UTF-8 decoding - CVE-2026-44288
- Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability - CVE-2026-44211
- @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading - CVE-2026-41640
- i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
You might also like:
- Tags:
- npm
- @protobufjs/utf8
Anything's wrong? Let us know Last updated on May 14, 2026