VDB
CVE-2026-44290
CVE-2026-44290
PUBLISHED
CVSS 7.5 HIGH
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
EPSS 0.10% · 28.0th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.10%
28.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | protobufjs | 0, 8.0.0 |
| protobufjs_project | protobufjs | 0, 8.0.0 |
| protobufjs | protobuf.js | >= 8.0.0, < 8.0.2, * |
Timeline
- May 12, 2026 CVE Published
- May 14, 2026 CVE Updated
- May 15, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg url
- https://nvd.nist.gov/vuln/detail/CVE-2026-44290 advisory
- https://github.com/protobufjs/protobuf.js package
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6 url
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2 url