PatchSiren cyber security CVE debrief
CVE-2026-44289 protobufjs CVE debrief
CVE-2026-44289 is a denial of service vulnerability in protobufjs, a JavaScript library for working with Protocol Buffers. The vulnerability allows for a denial of service attack by causing the JavaScript call stack to be exhausted during decoding of nested protobuf data. This issue was fixed in versions 7.5.6 and 8.0.2 of protobufjs. The vulnerability has a CVSS score of 7.5 and is considered high severity. The issue was publicly disclosed on May 13, 2026, and the details were last modified on July 1, 2026.
- Vendor
- protobufjs
- Product
- protobuf.js
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-07-01
Who should care
Developers and administrators using protobufjs in their applications should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of protobufjs, specifically version 7.5.6 or 8.0.2, or applying compensating controls to limit the impact of the vulnerability. Additionally, users of Red Hat products may be affected and should review the relevant advisories and patches.
Technical summary
The vulnerability in protobufjs arises from the library's ability to recurse without a depth limit while decoding nested protobuf data. This can cause the JavaScript call stack to be exhausted, leading to a denial of service attack. The issue affects both skipping unknown group fields and generated decoding of nested message fields. The vulnerability can be exploited by a crafted protobuf binary payload. The fix involves limiting the recursion depth during decoding.
Defensive priority
This vulnerability should be prioritized for remediation due to its high severity and potential for denial of service attacks. Affected users should upgrade to a patched version of protobufjs as soon as possible.
Recommended defensive actions
- Upgrade to protobufjs version 7.5.6 or 8.0.2
- Apply compensating controls to limit the impact of the vulnerability
- Review and apply relevant advisories and patches from Red Hat
- Monitor for and limit exposure to crafted protobuf binary payloads
- Consider implementing additional security measures to prevent denial of service attacks
Evidence notes
The vulnerability was publicly disclosed on May 13, 2026, and the details were last modified on July 1, 2026. The issue is fixed in versions 7.5.6 and 8.0.2 of protobufjs. The CVSS score for this vulnerability is 7.5, indicating high severity. The vulnerability affects both skipping unknown group fields and generated decoding of nested message fields.
Official resources
-
CVE-2026-44289 CVE record
CVE.org
-
CVE-2026-44289 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.