CVE-2026-44292: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in protobufjs protobuf.js
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
AI Analysis
Technical Summary
protobuf.js versions before 7.5.6 and between 8.0.0 and 8.0.2 generate message constructors that copy enumerable properties from a provided properties object without filtering the __proto__ key. If an attacker controls the input object, they can inject an own enumerable __proto__ property that alters the prototype of the constructed message instance, leading to prototype pollution. This vulnerability is addressed in protobuf.js versions 7.5.6 and 8.0.2.
Potential Impact
The vulnerability allows an attacker to modify the prototype of individual message instances, potentially leading to unexpected behavior or integrity issues in applications using affected protobuf.js versions. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrading protobuf.js to version 7.5.6 or 8.0.2 or later resolves this vulnerability. Since the vendor advisory indicates these versions fix the issue, users should update to these versions to mitigate the risk. Patch status is confirmed by the vendor advisory. No additional mitigations are specified.
CVE-2026-44292: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in protobufjs protobuf.js
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
protobuf.js versions before 7.5.6 and between 8.0.0 and 8.0.2 generate message constructors that copy enumerable properties from a provided properties object without filtering the __proto__ key. If an attacker controls the input object, they can inject an own enumerable __proto__ property that alters the prototype of the constructed message instance, leading to prototype pollution. This vulnerability is addressed in protobuf.js versions 7.5.6 and 8.0.2.
Potential Impact
The vulnerability allows an attacker to modify the prototype of individual message instances, potentially leading to unexpected behavior or integrity issues in applications using affected protobuf.js versions. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrading protobuf.js to version 7.5.6 or 8.0.2 or later resolves this vulnerability. Since the vendor advisory indicates these versions fix the issue, users should update to these versions to mitigate the risk. Patch status is confirmed by the vendor advisory. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T17:39:31.112Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a049721cbff5d8610e00ec6
Added to database: 5/13/2026, 3:22:09 PM
Last enriched: 5/13/2026, 3:38:26 PM
Last updated: 5/14/2026, 6:46:07 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.