無料スキャン
分析待ちCVE-2026-44291

CVE-2026-44291: Prototype Pollution in protobufjs

プラットフォーム

nodejs

コンポーネント

protobufjs

NVDで見る
保存

CVE-2026-44291 affects versions of protobufjs up to 7.5.5. This vulnerability stems from the library's use of plain objects with inherited prototypes for internal type lookup tables. If an attacker can successfully pollute Object.prototype, they can manipulate these lookup tables, potentially leading to arbitrary JavaScript code execution during encoding or decoding operations.

影響と攻撃シナリオ翻訳中…

The core impact of CVE-2026-44291 lies in its potential for arbitrary JavaScript code execution. An attacker first needs to trigger a prototype pollution vulnerability, which could be achieved through various means depending on how protobufjs is integrated into the application. Once successful, the attacker can influence the generated JavaScript code used for encoding or decoding protobuf messages. This malicious code could then be executed within the application's context, granting the attacker a significant level of control. The blast radius is dependent on the application's privileges and the sensitivity of the data being processed by protobufjs. This vulnerability shares similarities with other prototype pollution attacks, highlighting the importance of secure object handling practices.

悪用の状況翻訳中…

CVE-2026-44291 was published on 2026-05-12. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates on exploitation activity.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityHigh悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
高 — 競合条件、非標準設定、または特定の状況が必要。悪用が難しい。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントprotobufjs
最大バージョン7.5.5

弱点分類 (CWE)

CWE-94CWE-1321

タイムライン

  1. 公開日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-44291 is to upgrade to a patched version of protobufjs. The vendor has not yet released a fixed version as of the publication date, so careful monitoring of the project's releases is crucial. As a temporary workaround, consider implementing strict object property validation to prevent prototype pollution at the application level. This could involve sanitizing input data before it's used to populate objects or employing libraries designed to prevent prototype pollution. WAF rules could be configured to detect and block requests containing suspicious prototype pollution payloads, although this is a less reliable defense. After upgrading, confirm the fix by attempting to trigger a protobuf encoding/decoding operation with a known malicious payload and verifying that it does not result in code execution.

修正方法翻訳中…

公式パッチはありません。回避策を確認するか、アップデートを監視してください。

よくある質問翻訳中…

What is CVE-2026-44291 — Prototype Pollution in protobufjs?

CVE-2026-44291 is a HIGH severity vulnerability affecting protobufjs versions up to 7.5.5. It allows attackers to inject malicious code by polluting Object.prototype, potentially leading to arbitrary JavaScript code execution during encoding or decoding.

Am I affected by CVE-2026-44291 in protobufjs?

You are affected if you are using protobufjs version 7.5.5 or earlier. Check your project's dependencies to determine if you are using a vulnerable version.

How do I fix CVE-2026-44291 in protobufjs?

Upgrade to a patched version of protobufjs as soon as it becomes available. Until then, implement strict object property validation to prevent prototype pollution at the application level.

Is CVE-2026-44291 being actively exploited?

As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-44291. However, it's crucial to monitor for updates and potential exploitation attempts.

Where can I find the official protobufjs advisory for CVE-2026-44291?

Refer to the official protobufjs project's website and GitHub repository for updates and advisories related to CVE-2026-44291. Check the project's security page for announcements.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...