CVE-2026-44291 Overview
CVE-2026-44291 affects protobufjs, a widely used Node.js library that compiles Protocol Buffer (protobuf) definitions into JavaScript encode and decode functions. Versions prior to 7.5.6 and 8.0.2 use plain JavaScript objects with inherited prototypes for internal type lookup tables. When Object.prototype is polluted earlier in the runtime, these lookup tables resolve attacker-controlled inherited properties as legitimate protobuf type information. The result is code injection [CWE-94], where attacker-controlled strings can be emitted directly into generated JavaScript code. Maintainers fixed the issue in 7.5.6 and 8.0.2.
Critical Impact
When combined with a prototype pollution primitive, attackers can inject arbitrary strings into generated JavaScript executed by the host application, leading to code execution in Node.js processes.
Affected Products
- protobufjs for Node.js versions prior to 7.5.6 (7.x branch)
- protobufjs for Node.js versions prior to 8.0.2 (8.x branch)
- Applications and services that consume protobuf definitions through the protobufjs runtime
Discovery Timeline
- 2026-05-13 - CVE-2026-44291 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44291
Vulnerability Analysis
The protobufjs library generates JavaScript encode and decode functions at runtime from .proto definitions. To resolve nested message and field types, the library maintains internal lookup tables implemented as plain JavaScript objects. These objects inherit from Object.prototype by default rather than being created with a null prototype.
When another component in the application has already polluted Object.prototype with attacker-controlled keys, the protobufjs lookup logic cannot distinguish between legitimate entries and inherited properties. The library treats those inherited properties as valid type descriptors. The descriptor strings then flow into the code generator, which concatenates them into the body of dynamically built Function objects. The vulnerability is classified as Improper Control of Generation of Code [CWE-94].
Root Cause
The root cause is the use of prototype-inheriting objects ({}) for security-sensitive lookup tables consumed by a code generator. Property reads such as lookup[name] return inherited values when own properties are absent, allowing prototype pollution to feed the code generator. The maintainers fixed this by hardening the lookup paths so inherited properties cannot be interpreted as type information.
Attack Vector
Exploitation requires two preconditions. First, an attacker must reach a prototype pollution sink in the target application or one of its dependencies. Second, the application must subsequently compile or process protobuf definitions using a vulnerable protobufjs build. Once both conditions are met, attacker-controlled strings reach the generated function body and execute in the Node.js process. The high attack complexity reflects the need to chain prototype pollution with the protobuf code path.
No verified public proof-of-concept is referenced in the advisory. Refer to the GitHub Security Advisory GHSA-75px-5xx7-5xc7 for vendor technical details.
Detection Methods for CVE-2026-44291
Indicators of Compromise
- Unexpected protobufjs generated functions containing string literals that do not match any known .proto definition shipped with the application.
- Node.js process spawning child processes or performing outbound network connections shortly after protobuf message compilation.
- Application logs showing JavaScript runtime errors referring to dynamically generated encode or decode functions.
Detection Strategies
- Inventory node_modules and lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for protobufjs versions below 7.5.6 or 8.0.2.
- Run npm audit or equivalent software composition analysis tooling against the GitHub advisory database to flag GHSA-75px-5xx7-5xc7.
- Review codebases for known prototype pollution sinks (recursive merge, Object.assign of untrusted input, query string parsers) that could chain into this issue.
Monitoring Recommendations
- Monitor Node.js services for anomalous use of Function constructor or eval-like behavior originating from protobufjs modules.
- Alert on outbound connections from backend services that only legitimately speak gRPC or protobuf internally.
- Track package version drift in CI/CD so unpatched protobufjs releases do not reach production builds.
How to Mitigate CVE-2026-44291
Immediate Actions Required
- Upgrade protobufjs to 7.5.6 on the 7.x branch or 8.0.2 on the 8.x branch.
- Rebuild and redeploy any container images, serverless bundles, or front-end artifacts that vendor protobufjs.
- Audit application dependencies for known prototype pollution vulnerabilities and patch them in the same release.
Patch Information
The maintainers fixed CVE-2026-44291 in protobufjs7.5.6 and 8.0.2. See the GitHub Security Advisory GHSA-75px-5xx7-5xc7 for the official remediation guidance and commit references.
Workarounds
- Where immediate upgrade is not possible, eliminate prototype pollution primitives in upstream code paths to remove the chain into protobufjs.
- Freeze Object.prototype at application startup using Object.freeze(Object.prototype) after required modules have loaded, validating compatibility in staging first.
- Restrict untrusted input from reaching merge, clone, or parser functions that write to nested object keys.
# Upgrade protobufjs to a fixed release
npm install protobufjs@^8.0.2
# or for the 7.x branch
npm install protobufjs@^7.5.6
# Verify the resolved version in the dependency tree
npm ls protobufjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
