CVE-2026-44292: Prototype Injection in protobufjs

The core impact of CVE-2026-44292 lies in the ability of an attacker to manipulate the prototype chain of protobufjs message instances. By crafting a malicious properties object containing a proto property, an attacker can effectively hijack the inheritance of a message. This can lead to arbitrary code execution if the attacker can control the properties injected into the message. The vulnerability is per-instance, meaning each message created with the attacker-controlled properties is affected individually. While not a direct remote code execution vulnerability, it can be leveraged in conjunction with other vulnerabilities or application logic to achieve code execution. The blast radius depends heavily on the application's use of protobufjs and the level of attacker control over the properties object. A successful exploit could allow an attacker to modify the behavior of the application, potentially leading to data breaches or complete system compromise.

1. Publicada2026-05-12

The primary mitigation for CVE-2026-44292 is to upgrade to a patched version of protobufjs. Versions greater than 7.5.5 contain the necessary fixes to prevent the uncontrolled copying of enumerable properties. If upgrading is not immediately feasible, consider implementing input validation on the properties object passed to the protobufjs message constructor. Specifically, filter out any properties with the name proto before passing the object to the constructor. While not a complete solution, this can significantly reduce the attack surface. Additionally, review your application's usage of protobufjs to identify any potential areas where an attacker could influence the properties object. After upgrading, confirm the fix by attempting to construct a message with a malicious properties object containing a proto property; the constructor should now reject this input.