CVE-2026-44293: Prototype Poisoning in protobufjs

The core of this vulnerability lies in the way protobufjs generates JavaScript code for converting protobuf messages to JavaScript objects. The toObject function, responsible for this conversion, can be influenced by the protobuf descriptor itself. Specifically, if a bytes field within the descriptor has a default value that is not a string, protobufjs may generate an unsafe expression. An attacker can leverage this by providing a malicious descriptor with a carefully crafted non-string default value. This crafted descriptor will cause protobufjs to emit attacker-controlled JavaScript code during the conversion process. Successful exploitation requires the application to load and process this attacker-controlled descriptor. The potential impact is severe: remote code execution (RCE) within the application's process. This could allow an attacker to steal sensitive data, modify application behavior, or even gain control of the underlying system, depending on the application's privileges and access rights. The blast radius is directly tied to the application's functionality and the permissions of the process running protobufjs.

1. Publicada2026-05-12

Due to the lack of a specific fixed_in version, immediate mitigation focuses on preventing the loading of untrusted protobuf descriptors. Implement strict input validation and sanitization to ensure that only trusted descriptors are processed by protobufjs. Consider using a Web Application Firewall (WAF) or proxy to inspect incoming protobuf data and block requests containing suspicious descriptors. If possible, restrict the application's access to the file system to prevent attackers from injecting malicious descriptors. As a temporary workaround, consider disabling the toObject functionality if it's not essential for the application's operation. Monitor application logs for any unusual activity related to protobuf processing. Once a patched version of protobufjs is released, upgrade immediately and verify the fix by attempting to load a known malicious descriptor and confirming that the expected error occurs instead of code execution.