CVE-2026-44294
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
13/05/2026
Last modified:
13/05/2026
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* | 7.5.6 (excluding) | |
| cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:* | 8.0.0 (including) | 8.0.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



