CVE-2026-44290 Overview
CVE-2026-44290 is a prototype pollution vulnerability in protobufjs, a widely used Node.js library that compiles Protocol Buffer definitions into JavaScript functions. Versions prior to 7.5.6 and 8.0.2 permit certain schema option paths to traverse through inherited object properties during option application. An attacker who supplies a crafted protobuf schema or JSON descriptor can write to properties on global JavaScript constructors. This corrupts process-wide built-in functionality and can degrade availability across the entire Node.js process. The flaw maps to CWE-1321: Improperly Controlled Modification of Object Prototype Attributes.
Critical Impact
Crafted protobuf schemas can pollute global JavaScript constructor prototypes, corrupting process-wide built-in functionality and causing denial of service across applications that parse untrusted schema input.
Affected Products
- protobufjs versions prior to 7.5.6 (7.x branch)
- protobufjs versions prior to 8.0.2 (8.x branch)
- Node.js applications consuming protobufjs as a dependency
Discovery Timeline
- 2026-05-13 - CVE-2026-44290 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44290
Vulnerability Analysis
The protobufjs library converts Protocol Buffer schema definitions into runtime JavaScript objects. During this compilation, the library processes option fields attached to messages, fields, and enums. The option-handling logic walks dotted property paths and assigns values into the target object.
Prior to the fixed releases, this traversal did not distinguish between own properties and inherited properties. A schema author could supply an option path that resolves through __proto__, constructor, or prototype chains. Assignment to such a path mutates the shared prototype of global JavaScript constructors. Once a built-in prototype is polluted, every object in the Node.js process inherits the attacker-controlled property, producing unpredictable behavior or process termination.
Root Cause
The root cause is unsafe recursive property assignment without sanitization of reserved property names. The option resolver follows the dotted path provided in the schema and assigns leaf values without verifying that intermediate keys are own properties. This pattern, classified under [CWE-1321], allows traversal into Object.prototype and other built-in prototypes through crafted descriptor input.
Attack Vector
The attack vector is network-accessible whenever an application parses protobuf schemas or JSON descriptors from untrusted sources. Common exposure points include services that accept dynamic .proto definitions, gRPC reflection endpoints that load remote schemas, and tooling that ingests third-party message descriptors. The attacker does not need authentication or user interaction. Successful exploitation impacts availability by corrupting global constructors and can produce cascading runtime errors across the Node.js process.
No verified public exploit code is available. Technical details are described in the GitHub Security Advisory GHSA-jvwf-75h9-cwgg.
Detection Methods for CVE-2026-44290
Indicators of Compromise
- Unexpected properties appearing on Object.prototype, Function.prototype, or Array.prototype at runtime
- Node.js process crashes or TypeError exceptions originating from previously stable built-in operations
- Schema or descriptor payloads containing option keys referencing __proto__, constructor, or prototype
- Anomalous behavior in unrelated modules after protobuf schema ingestion
Detection Strategies
- Inventory all direct and transitive dependencies on protobufjs using npm ls protobufjs or equivalent software composition analysis tooling
- Inspect inbound protobuf schemas and JSON descriptors for option paths containing prototype-chain identifiers before parsing
- Add runtime checks that freeze Object.prototype with Object.freeze(Object.prototype) during application bootstrap to surface pollution attempts
- Correlate dependency manifests against the GitHub Advisory Database entry for GHSA-jvwf-75h9-cwgg
Monitoring Recommendations
- Log all schema-loading operations with source identity and payload hash for forensic review
- Alert on Node.js process restarts that correlate with protobuf parsing activity
- Track CI/CD pipelines for builds pulling vulnerable protobufjs versions and block merges when detected
- Monitor application performance metrics for sudden increases in unhandled exception rates following schema ingestion
How to Mitigate CVE-2026-44290
Immediate Actions Required
- Upgrade protobufjs to version 7.5.6 on the 7.x branch or 8.0.2 on the 8.x branch
- Audit all services that load protobuf definitions from untrusted or remote sources
- Restrict schema ingestion endpoints to authenticated, trusted publishers until patches are deployed
- Rebuild and redeploy container images that bundle the vulnerable package
Patch Information
The maintainers fixed CVE-2026-44290 in protobufjs7.5.6 and 8.0.2. The patches add sanitization to option-path traversal so that assignment cannot reach inherited prototype properties. Refer to the GitHub Security Advisory GHSA-jvwf-75h9-cwgg for full remediation details and commit references.
Workarounds
- Validate protobuf schema input and reject any option path containing __proto__, constructor, or prototype substrings
- Apply Object.freeze(Object.prototype) and freeze other built-in prototypes at process startup to block pollution writes
- Isolate untrusted schema parsing in short-lived worker processes that can be terminated without affecting the main application
- Disable dynamic schema loading features where not strictly required by business logic
# Configuration example
npm install protobufjs@^8.0.2
# or for the 7.x branch
npm install protobufjs@^7.5.6
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
