PatchSiren cyber security CVE debrief
CVE-2026-44293 Protobufjs Project CVE debrief
CVE-2026-44293 is a vulnerability in Protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for attacker-controlled code to be emitted into the generated conversion function. This is due to an unsafe expression derived from a schema-controlled bytes field default value in the generated JavaScript for toObject conversion. A crafted descriptor with a non-string default value for a bytes field could cause this vulnerability. The vulnerability is fixed in versions 7.5.6 and 8.0.2 of Protobufjs.
- Vendor
- Protobufjs Project
- Product
- Protobufjs
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-07-01
Who should care
Developers and users of Protobufjs, especially those using versions prior to 7.5.6 and 8.0.2, should be aware of this vulnerability. This vulnerability could allow attackers to execute arbitrary code, potentially leading to security breaches. Users of Red Hat products that utilize Protobufjs may also be affected, as indicated by the presence of Red Hat errata references.
Technical summary
The vulnerability in Protobufjs arises from the generation of JavaScript code for toObject conversion. Specifically, the code generated for handling bytes fields with default values could include unsafe expressions. An attacker could craft a descriptor with a non-string default value for a bytes field, leading to the emission of attacker-controlled code in the generated conversion function. This issue has been addressed in Protobufjs versions 7.5.6 and 8.0.2. The CVSS score for this vulnerability is 7.7, indicating a high severity level.
Defensive priority
High priority should be given to updating Protobufjs to versions 7.5.6 or 8.0.2, or later, to mitigate this vulnerability. Additionally, developers should review their code for any usage of crafted descriptors that could potentially exploit this vulnerability.
Recommended defensive actions
- Update Protobufjs to version 7.5.6 or 8.0.2, or later.
- Review code for usage of crafted descriptors.
- Monitor for any suspicious activity related to Protobufjs usage.
- Apply Red Hat errata if applicable.
- Consider implementing additional security measures to detect and prevent code injection attacks.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional context from the NVD database. The mitigation or vendor reference from GitHub provides information on the fix for this vulnerability.
Official resources
-
CVE-2026-44293 CVE record
CVE.org
-
CVE-2026-44293 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.