Scan free
Pending AnalysisCVE-2026-44292

CVE-2026-44292: Prototype Injection in protobufjs

Platform

nodejs

Component

protobufjs

View on NVD
Save

CVE-2026-44292 is a prototype injection vulnerability discovered in protobufjs, a JavaScript library for encoding and decoding Protocol Buffer messages. This flaw arises because the message constructors improperly copy enumerable properties from a provided object without filtering the proto key. Exploitation allows an attacker to modify the prototype chain of individual message instances, potentially leading to unexpected behavior and code execution within the application.

Impact and Attack Scenarios

The core impact of CVE-2026-44292 lies in the ability of an attacker to manipulate the prototype chain of protobufjs message instances. By crafting a malicious properties object containing a proto property, an attacker can effectively hijack the inheritance of a message. This can lead to arbitrary code execution if the attacker can control the properties injected into the message. The vulnerability is per-instance, meaning each message created with the attacker-controlled properties is affected individually. While not a direct remote code execution vulnerability, it can be leveraged in conjunction with other vulnerabilities or application logic to achieve code execution. The blast radius depends heavily on the application's use of protobufjs and the level of attacker control over the properties object. A successful exploit could allow an attacker to modify the behavior of the application, potentially leading to data breaches or complete system compromise.

Exploitation Context

CVE-2026-44292 was published on 2026-05-12. Its severity is currently assessed as MEDIUM (CVSS 5.3). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N5.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentprotobufjs
Maximum version7.5.5

Weakness Classification (CWE)

CWE-1321

Timeline

  1. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-44292 is to upgrade to a patched version of protobufjs. Versions greater than 7.5.5 contain the necessary fixes to prevent the uncontrolled copying of enumerable properties. If upgrading is not immediately feasible, consider implementing input validation on the properties object passed to the protobufjs message constructor. Specifically, filter out any properties with the name proto before passing the object to the constructor. While not a complete solution, this can significantly reduce the attack surface. Additionally, review your application's usage of protobufjs to identify any potential areas where an attacker could influence the properties object. After upgrading, confirm the fix by attempting to construct a message with a malicious properties object containing a proto property; the constructor should now reject this input.

How to fix

No official patch available. Check for workarounds or monitor for updates.

Frequently asked questions

What is CVE-2026-44292?

It's a prototype injection vulnerability in protobufjs, allowing attackers to modify message instance prototypes.

Am I affected?

If you're using protobufjs versions 7.5.5 or earlier, you are potentially affected. Assess your application's usage of protobufjs.

How to fix it?

Upgrade to protobufjs version 7.5.6 or later. If upgrading isn't possible, implement input validation to filter out proto properties.

Is it being exploited?

Currently, there are no known public exploits or active campaigns targeting this vulnerability.

Where can I learn more?

Refer to the official NVD entry for CVE-2026-44292 and the protobufjs project's security advisories.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...