PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44289 protobufjs CVE debrief

CVE-2026-44289 is a denial of service vulnerability in protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for a denial of service attack by causing the JavaScript call stack to be exhausted during decoding of nested protobuf data. This issue was fixed in versions 7.5.6 and 8.0.2 of protobufjs. The vulnerability has a CVSS score of 7.5 and is considered high severity. The issue was publicly disclosed on May 13, 2026, and the details were last modified on July 1, 2026.

Vendor
protobufjs
Product
protobuf.js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-07-01
Advisory published
2026-05-13
Advisory updated
2026-07-01

Who should care

Developers and administrators using protobufjs in their applications should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of protobufjs, specifically version 7.5.6 or 8.0.2, or applying compensating controls to limit the impact of the vulnerability. Additionally, users of Red Hat products may be affected and should review the relevant advisories and patches.

Technical summary

The vulnerability in protobufjs arises from the library's ability to recurse without a depth limit while decoding nested protobuf data. This can cause the JavaScript call stack to be exhausted, leading to a denial of service attack. The issue affects both skipping unknown group fields and generated decoding of nested message fields. The vulnerability can be exploited by a crafted protobuf binary payload. The fix involves limiting the recursion depth during decoding.

Defensive priority

This vulnerability should be prioritized for remediation due to its high severity and potential for denial of service attacks. Affected users should upgrade to a patched version of protobufjs as soon as possible.

Recommended defensive actions

  • Upgrade to protobufjs version 7.5.6 or 8.0.2
  • Apply compensating controls to limit the impact of the vulnerability
  • Review and apply relevant advisories and patches from Red Hat
  • Monitor for and limit exposure to crafted protobuf binary payloads
  • Consider implementing additional security measures to prevent denial of service attacks

Evidence notes

The vulnerability was publicly disclosed on May 13, 2026, and the details were last modified on July 1, 2026. The issue is fixed in versions 7.5.6 and 8.0.2 of protobufjs. The CVSS score for this vulnerability is 7.5, indicating high severity. The vulnerability affects both skipping unknown group fields and generated decoding of nested message fields.

Official resources

This article was generated with AI assistance based on the supplied source corpus.