CVE-2026-44294

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
13/05/2026
Last modified:
13/05/2026

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* 7.5.6 (excluding)
cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* 8.0.0 (including) 8.0.2 (excluding)