CVE-2026-44292 Overview
CVE-2026-44292 is a prototype pollution vulnerability in protobufjs, a widely used Node.js library that compiles Protocol Buffer definitions into JavaScript functions. Versions prior to 7.5.6 and 8.0.2 generate message constructors that copy enumerable properties from a supplied properties object without filtering the __proto__ key. An attacker who supplies a crafted plain object to a message constructor can alter the prototype of that individual message instance. The flaw maps to CWE-1321: Improperly Controlled Modification of Object Prototype Attributes. Maintainers fixed the issue in protobufjs7.5.6 and 8.0.2.
Critical Impact
Applications that build protobuf messages from attacker-controlled JSON objects can have message-instance prototypes mutated, leading to integrity loss and potential downstream logic bypasses.
Affected Products
- protobufjs for Node.js, all versions prior to 7.5.6
- protobufjs for Node.js, 8.x versions prior to 8.0.2
- Applications and services that pass untrusted plain objects into generated protobuf message constructors
Discovery Timeline
- 2026-05-13 - CVE-2026-44292 published to NVD
- 2026-05-13 - Last updated in NVD database
- Vendor Advisory - GHSA-fx83-v9x8-x52w published by the protobufjs maintainers
Technical Details for CVE-2026-44292
Vulnerability Analysis
protobufjs generates message classes at runtime from .proto schema files. The generated constructors accept a properties object and copy its enumerable fields onto the new message instance. Prior to the fix, this copy loop did not exclude the __proto__ key. When an attacker-controlled plain object contained an own enumerable __proto__ property, the assignment redefined the prototype of that single message instance rather than creating a normal data field.
The impact is scoped to the affected instance and does not pollute Object.prototype globally. However, the modified prototype can still alter property lookups, method resolution, and downstream serialization on that object. Services that route attacker JSON directly into protobuf messages, such as gRPC gateways or HTTP-to-protobuf bridges, are the most exposed.
Root Cause
The root cause is unsafe key copying in the generated constructor code. JavaScript treats __proto__ as a special accessor on plain objects: an own enumerable __proto__ property set through JSON.parse is treated as data, but a direct assignment (target.__proto__ = value) invokes the setter that reassigns the prototype. The constructor performed the latter, conflating data-field assignment with prototype mutation.
Attack Vector
Exploitation requires the target application to construct a protobuf message from an object whose contents originate from an untrusted source. A typical pattern is new MessageType(JSON.parse(req.body)). The attacker submits a JSON payload such as {"__proto__": {"isAdmin": true}}. The constructor copies the __proto__ entry, replacing the instance prototype with the attacker-supplied object. Subsequent property reads against the instance return attacker-controlled values when the field is otherwise absent.
No authentication is required when the vulnerable code path is reachable over the network, and exploitation does not require user interaction. The attack does not yield code execution on its own; impact depends on how the application uses the resulting message.
No verified public proof-of-concept is referenced in the advisory. See the protobufjs security advisory GHSA-fx83-v9x8-x52w for the maintainer write-up.
Detection Methods for CVE-2026-44292
Indicators of Compromise
- Inbound JSON request bodies that contain a literal __proto__ key, especially in fields routed to protobuf decoders
- Application logs showing message instances with unexpected inherited properties after deserialization
- Dependency manifests (package.json, package-lock.json, yarn.lock) referencing protobufjs versions below 7.5.6 or below 8.0.2
Detection Strategies
- Run software composition analysis (SCA) against Node.js projects to flag vulnerable protobufjs ranges.
- Add web application firewall (WAF) or API gateway rules that reject JSON payloads containing __proto__, constructor.prototype, or prototype keys at sensitive endpoints.
- Enable runtime application self-protection (RASP) or instrument constructors to log when __proto__ is encountered during property copy operations.
Monitoring Recommendations
- Monitor gRPC and REST-to-protobuf bridges for anomalous JSON keys and abnormal request rates from single sources.
- Track Node.js process behavior for unexpected property access patterns and authorization bypass attempts following deserialization.
- Alert on dependency drift when protobufjs is downgraded or pinned to a vulnerable range in CI/CD pipelines.
How to Mitigate CVE-2026-44292
Immediate Actions Required
- Upgrade protobufjs to 7.5.6 or 8.0.2 or later across all Node.js services.
- Audit code paths that pass untrusted objects into protobuf constructors and switch them to MessageType.fromObject() with validated input or to the binary decode() path.
- Reject any JSON request containing __proto__, constructor, or prototype keys at the edge before they reach application logic.
Patch Information
The protobufjs maintainers fixed the flaw in versions 7.5.6 and 8.0.2. The fix filters the __proto__ key during property copying in generated constructors. Refer to the GitHub Security Advisory GHSA-fx83-v9x8-x52w for full release notes.
Workarounds
- Sanitize untrusted input before instantiation by removing __proto__, constructor, and prototype keys recursively.
- Use Object.create(null) for properties objects passed to protobuf constructors so they do not carry the special __proto__ setter.
- Prefer binary protobuf decoding over JSON-to-message conversion when handling untrusted external input.
# Upgrade protobufjs to a patched release
npm install protobufjs@^8.0.2
# or for the 7.x line
npm install protobufjs@^7.5.6
# Verify installed version
npm ls protobufjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
