CVE-2026-44288: CWE-176: Improper Handling of Unicode Encoding in protobufjs protobuf.js
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
AI Analysis
Technical Summary
The protobuf.js library, used to compile protobuf definitions into JavaScript functions, had a vulnerability (CWE-176) related to improper handling of Unicode encoding. Specifically, its minimal UTF-8 decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters rather than replacing them. This behavior could allow an attacker who controls protobuf binary input to bypass application-level byte inspections by encoding characters in overlong UTF-8 sequences that decode to ASCII characters, potentially evading security checks. The vulnerability affects protobuf.js versions prior to 7.5.6 and versions from 8.0.0 up to but not including 8.0.2. The issue is addressed in versions 7.5.6 and 8.0.2.
Potential Impact
This vulnerability can lead to bypassing application-level checks that rely on inspecting raw protobuf byte sequences before decoding strings. Although it does not directly impact confidentiality or availability, it can lead to integrity issues by allowing maliciously crafted protobuf data to evade filters or validation logic. The CVSS score of 5.3 reflects a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
A fix is available in protobuf.js versions 7.5.6 and 8.0.2. Users should upgrade to at least version 7.5.6 or 8.0.2 to remediate this vulnerability. Since this is a library vulnerability, updating the dependency in affected projects is the recommended remediation. Patch status is confirmed by the version numbers where the issue is fixed.
CVE-2026-44288: CWE-176: Improper Handling of Unicode Encoding in protobufjs protobuf.js
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The protobuf.js library, used to compile protobuf definitions into JavaScript functions, had a vulnerability (CWE-176) related to improper handling of Unicode encoding. Specifically, its minimal UTF-8 decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters rather than replacing them. This behavior could allow an attacker who controls protobuf binary input to bypass application-level byte inspections by encoding characters in overlong UTF-8 sequences that decode to ASCII characters, potentially evading security checks. The vulnerability affects protobuf.js versions prior to 7.5.6 and versions from 8.0.0 up to but not including 8.0.2. The issue is addressed in versions 7.5.6 and 8.0.2.
Potential Impact
This vulnerability can lead to bypassing application-level checks that rely on inspecting raw protobuf byte sequences before decoding strings. Although it does not directly impact confidentiality or availability, it can lead to integrity issues by allowing maliciously crafted protobuf data to evade filters or validation logic. The CVSS score of 5.3 reflects a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
A fix is available in protobuf.js versions 7.5.6 and 8.0.2. Users should upgrade to at least version 7.5.6 or 8.0.2 to remediate this vulnerability. Since this is a library vulnerability, updating the dependency in affected projects is the recommended remediation. Patch status is confirmed by the version numbers where the issue is fixed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T17:39:31.112Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a049717cbff5d8610e00324
Added to database: 5/13/2026, 3:21:59 PM
Last enriched: 5/13/2026, 3:38:31 PM
Last updated: 5/14/2026, 6:47:02 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.