CVE-2026-44293

Severity CVSS v4.0:
HIGH
Type:
CWE-94 Code Injection
Publication date:
13/05/2026
Last modified:
10/07/2026

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* 7.5.6 (excluding)
cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* 8.0.0 (including) 8.0.2 (excluding)