Escanear grátis
Análise pendenteCVE-2026-44292

CVE-2026-44292: Prototype Injection in protobufjs

Plataforma

nodejs

Componente

protobufjs

Ver no NVD
Salvar

CVE-2026-44292 is a prototype injection vulnerability discovered in protobufjs, a JavaScript library for encoding and decoding Protocol Buffer messages. This flaw arises because the message constructors improperly copy enumerable properties from a provided object without filtering the proto key. Exploitation allows an attacker to modify the prototype chain of individual message instances, potentially leading to unexpected behavior and code execution within the application.

Impacto e Cenários de Ataquetraduzindo…

The core impact of CVE-2026-44292 lies in the ability of an attacker to manipulate the prototype chain of protobufjs message instances. By crafting a malicious properties object containing a proto property, an attacker can effectively hijack the inheritance of a message. This can lead to arbitrary code execution if the attacker can control the properties injected into the message. The vulnerability is per-instance, meaning each message created with the attacker-controlled properties is affected individually. While not a direct remote code execution vulnerability, it can be leveraged in conjunction with other vulnerabilities or application logic to achieve code execution. The blast radius depends heavily on the application's use of protobufjs and the level of attacker control over the properties object. A successful exploit could allow an attacker to modify the behavior of the application, potentially leading to data breaches or complete system compromise.

Contexto de Exploraçãotraduzindo…

CVE-2026-44292 was published on 2026-05-12. Its severity is currently assessed as MEDIUM (CVSS 5.3). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates.

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetAlta

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N5.3MEDIUMAttack VectorNetworkComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredNoneNível de autenticação necessárioUser InteractionNoneSe a vítima precisa tomar uma açãoScopeUnchangedImpacto além do componente afetadoConfidentialityNoneRisco de exposição de dados sensíveisIntegrityLowRisco de modificação não autorizada de dadosAvailabilityNoneRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Nenhum — sem autenticação necessária para explorar.
User Interaction
Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope
Inalterado — impacto limitado ao componente vulnerável.
Confidentiality
Nenhum — sem impacto na confidencialidade.
Integrity
Baixo — o atacante pode modificar alguns dados com alcance limitado.
Availability
Nenhum — sem impacto na disponibilidade.

Software Afetado

Componenteprotobufjs
Versão máxima7.5.5

Classificação de Fraqueza (CWE)

CWE-1321

Linha do tempo

  1. Publicada

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2026-44292 is to upgrade to a patched version of protobufjs. Versions greater than 7.5.5 contain the necessary fixes to prevent the uncontrolled copying of enumerable properties. If upgrading is not immediately feasible, consider implementing input validation on the properties object passed to the protobufjs message constructor. Specifically, filter out any properties with the name proto before passing the object to the constructor. While not a complete solution, this can significantly reduce the attack surface. Additionally, review your application's usage of protobufjs to identify any potential areas where an attacker could influence the properties object. After upgrading, confirm the fix by attempting to construct a message with a malicious properties object containing a proto property; the constructor should now reject this input.

Como corrigirtraduzindo…

Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.

Perguntas frequentestraduzindo…

What is CVE-2026-44292?

It's a prototype injection vulnerability in protobufjs, allowing attackers to modify message instance prototypes.

Am I affected?

If you're using protobufjs versions 7.5.5 or earlier, you are potentially affected. Assess your application's usage of protobufjs.

How to fix it?

Upgrade to protobufjs version 7.5.6 or later. If upgrading isn't possible, implement input validation to filter out proto properties.

Is it being exploited?

Currently, there are no known public exploits or active campaigns targeting this vulnerability.

Where can I learn more?

Refer to the official NVD entry for CVE-2026-44292 and the protobufjs project's security advisories.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs
ao vivoverificação gratuita

Experimente agora — sem conta

Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.

Escaneamento manualAlertas por Slack/e-mailMonitoramento ContínuoRelatórios de marca branca

Arraste e solte seu arquivo de dependências

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...