PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44293 Protobufjs Project CVE debrief

CVE-2026-44293 is a vulnerability in Protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for attacker-controlled code to be emitted into the generated conversion function. This is due to an unsafe expression derived from a schema-controlled bytes field default value in the generated JavaScript for toObject conversion. A crafted descriptor with a non-string default value for a bytes field could cause this vulnerability. The vulnerability is fixed in versions 7.5.6 and 8.0.2 of Protobufjs.

Vendor
Protobufjs Project
Product
Protobufjs
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-07-01
Advisory published
2026-05-13
Advisory updated
2026-07-01

Who should care

Developers and users of Protobufjs, especially those using versions prior to 7.5.6 and 8.0.2, should be aware of this vulnerability. This vulnerability could allow attackers to execute arbitrary code, potentially leading to security breaches. Users of Red Hat products that utilize Protobufjs may also be affected, as indicated by the presence of Red Hat errata references.

Technical summary

The vulnerability in Protobufjs arises from the generation of JavaScript code for toObject conversion. Specifically, the code generated for handling bytes fields with default values could include unsafe expressions. An attacker could craft a descriptor with a non-string default value for a bytes field, leading to the emission of attacker-controlled code in the generated conversion function. This issue has been addressed in Protobufjs versions 7.5.6 and 8.0.2. The CVSS score for this vulnerability is 7.7, indicating a high severity level.

Defensive priority

High priority should be given to updating Protobufjs to versions 7.5.6 or 8.0.2, or later, to mitigate this vulnerability. Additionally, developers should review their code for any usage of crafted descriptors that could potentially exploit this vulnerability.

Recommended defensive actions

  • Update Protobufjs to version 7.5.6 or 8.0.2, or later.
  • Review code for usage of crafted descriptors.
  • Monitor for any suspicious activity related to Protobufjs usage.
  • Apply Red Hat errata if applicable.
  • Consider implementing additional security measures to detect and prevent code injection attacks.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional context from the NVD database. The mitigation or vendor reference from GitHub provides information on the fix for this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.