CVE-2026-44293 Overview
CVE-2026-44293 affects protobufjs, a widely deployed library that compiles Protocol Buffers definitions into JavaScript functions. The library generates code for toObject conversion that can include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field causes attacker-controlled code to be emitted into the generated conversion function. The flaw is classified as [CWE-94] Improper Control of Generation of Code (Code Injection). Maintainers fixed the issue in versions 7.5.6 and 8.0.2.
Critical Impact
Attackers who supply or influence protobuf descriptors can inject arbitrary JavaScript that executes inside the host process, leading to remote code execution in Node.js environments.
Affected Products
- protobufjs versions prior to 7.5.6 on the 7.x branch
- protobufjs versions prior to 8.0.2 on the 8.x branch
- Node.js applications consuming untrusted .proto descriptors via protobufjs
Discovery Timeline
- 2026-05-13 - CVE-2026-44293 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44293
Vulnerability Analysis
protobufjs generates JavaScript at runtime to convert between protobuf messages and plain objects. The toObject converter emits code that references each field's declared default value. For bytes fields, the generator assumes the default value is a string literal and inlines it directly into the function body without validation or escaping.
When a descriptor specifies a non-string default value, such as an object or expression, the generator concatenates that value into the produced JavaScript source. The resulting function is compiled with Function or an equivalent dynamic constructor, executing whatever payload the attacker placed in the descriptor.
Exploitation requires the victim application to load a protobuf descriptor from an untrusted source. Applications that accept user-uploaded .proto files, parse descriptors from network input, or dynamically build schemas from external configuration are exposed.
Root Cause
The code generator treats schema-controlled metadata as trusted input. It interpolates the bytes default value into a generated function string instead of serializing it through a safe encoder. Because the generated function is later compiled and invoked, any syntactically valid JavaScript embedded in the default value runs with the privileges of the host process.
Attack Vector
The attack vector is network-based. An attacker delivers a malicious protobuf descriptor to a service that compiles it with protobufjs. When the generated toObject function is invoked on a message of the crafted type, the injected expression executes. Refer to the GitHub Security Advisory GHSA-66ff-xgx4-vchm for the full technical writeup.
Detection Methods for CVE-2026-44293
Indicators of Compromise
- Unexpected child processes spawned by Node.js workers that process protobuf input
- Outbound network connections from services after loading a new .proto descriptor
- Presence of protobufjs versions earlier than 7.5.6 or 8.0.2 in package-lock.json or node_modules
- Protobuf descriptors containing non-string default values on bytes fields
Detection Strategies
- Run software composition analysis (SCA) across repositories and container images to flag vulnerable protobufjs versions
- Inspect runtime telemetry for Node.js processes that compile dynamic functions shortly after parsing external descriptors
- Hash and review descriptor files accepted by services that deserialize protobuf schemas at runtime
Monitoring Recommendations
- Alert on process executions and file writes originating from Node.js services that should not spawn shells
- Log every call site that loads protobuf descriptors from untrusted sources and capture the descriptor hash
- Monitor egress traffic from microservices that perform protobuf decoding for anomalous destinations
How to Mitigate CVE-2026-44293
Immediate Actions Required
- Upgrade protobufjs to 7.5.6 or 8.0.2 across all direct and transitive dependencies
- Audit applications that accept protobuf descriptors from external parties and restrict them to trusted sources
- Rebuild and redeploy container images that bundled vulnerable versions of the library
Patch Information
The maintainers released fixed builds in protobufjs7.5.6 and 8.0.2. The patches validate that bytes default values are strings before interpolating them into generated code. Review the GitHub Security Advisory GHSA-66ff-xgx4-vchm for vendor guidance and commit references.
Workarounds
- Refuse to load .proto descriptors or FileDescriptorSet payloads sourced from untrusted users
- Strip or reject default values on bytes fields before passing descriptors to protobufjs
- Run protobuf parsing in an isolated worker with no filesystem or network privileges until upgrades complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
