Escanear gratis
Análisis pendienteCVE-2026-44291

CVE-2026-44291: Prototype Pollution in protobufjs

Plataforma

nodejs

Componente

protobufjs

Ver en NVD
Guardar

CVE-2026-44291 affects versions of protobufjs up to 7.5.5. This vulnerability stems from the library's use of plain objects with inherited prototypes for internal type lookup tables. If an attacker can successfully pollute Object.prototype, they can manipulate these lookup tables, potentially leading to arbitrary JavaScript code execution during encoding or decoding operations.

Impacto y Escenarios de Ataquetraduciendo…

The core impact of CVE-2026-44291 lies in its potential for arbitrary JavaScript code execution. An attacker first needs to trigger a prototype pollution vulnerability, which could be achieved through various means depending on how protobufjs is integrated into the application. Once successful, the attacker can influence the generated JavaScript code used for encoding or decoding protobuf messages. This malicious code could then be executed within the application's context, granting the attacker a significant level of control. The blast radius is dependent on the application's privileges and the sensitivity of the data being processed by protobufjs. This vulnerability shares similarities with other prototype pollution attacks, highlighting the importance of secure object handling practices.

Contexto de Explotacióntraduciendo…

CVE-2026-44291 was published on 2026-05-12. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates on exploitation activity.

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido
CISA KEVNO
Exposición en InternetAlta

Vector CVSS

INTELIGENCIA DE AMENAZAS· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetworkCómo el atacante alcanza el objetivoAttack ComplexityHighCondiciones necesarias para explotarPrivileges RequiredNoneNivel de autenticación requeridoUser InteractionNoneSi la víctima debe realizar una acciónScopeUnchangedImpacto más allá del componente afectadoConfidentialityHighRiesgo de exposición de datos sensiblesIntegrityHighRiesgo de modificación no autorizada de datosAvailabilityHighRiesgo de interrupción del servicionextguardhq.com · Puntuación Base CVSS v3.1
¿Qué significan estas métricas?
Attack Vector
Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
Attack Complexity
Alta — requiere condición de carrera, configuración no predeterminada o circunstancias específicas. Más difícil de explotar.
Privileges Required
Ninguno — sin autenticación. No se necesitan credenciales para explotar.
User Interaction
Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
Scope
Sin cambio — el impacto se limita al componente vulnerable.
Confidentiality
Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
Integrity
Alto — el atacante puede escribir, modificar o eliminar cualquier dato.
Availability
Alto — caída completa o agotamiento de recursos. Denegación de servicio total.

Software Afectado

Componenteprotobufjs
Versión máxima7.5.5

Clasificación de Debilidad (CWE)

CWE-94CWE-1321

Cronología

  1. Publicada

Mitigación y Workaroundstraduciendo…

The primary mitigation for CVE-2026-44291 is to upgrade to a patched version of protobufjs. The vendor has not yet released a fixed version as of the publication date, so careful monitoring of the project's releases is crucial. As a temporary workaround, consider implementing strict object property validation to prevent prototype pollution at the application level. This could involve sanitizing input data before it's used to populate objects or employing libraries designed to prevent prototype pollution. WAF rules could be configured to detect and block requests containing suspicious prototype pollution payloads, although this is a less reliable defense. After upgrading, confirm the fix by attempting to trigger a protobuf encoding/decoding operation with a known malicious payload and verifying that it does not result in code execution.

Cómo corregirlotraduciendo…

Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.

Preguntas frecuentestraduciendo…

What is CVE-2026-44291 — Prototype Pollution in protobufjs?

CVE-2026-44291 is a HIGH severity vulnerability affecting protobufjs versions up to 7.5.5. It allows attackers to inject malicious code by polluting Object.prototype, potentially leading to arbitrary JavaScript code execution during encoding or decoding.

Am I affected by CVE-2026-44291 in protobufjs?

You are affected if you are using protobufjs version 7.5.5 or earlier. Check your project's dependencies to determine if you are using a vulnerable version.

How do I fix CVE-2026-44291 in protobufjs?

Upgrade to a patched version of protobufjs as soon as it becomes available. Until then, implement strict object property validation to prevent prototype pollution at the application level.

Is CVE-2026-44291 being actively exploited?

As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-44291. However, it's crucial to monitor for updates and potential exploitation attempts.

Where can I find the official protobufjs advisory for CVE-2026-44291?

Refer to the official protobufjs project's website and GitHub repository for updates and advisories related to CVE-2026-44291. Check the project's security page for announcements.

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratisBuscar CVEs
liveescaneo gratuito

Pruébalo ahora — sin cuenta

Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.

Escaneo manualAlertas en Slack/emailMonitoreo continuoReportes white-label

Arrastra y suelta tu archivo de dependencias

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...