CVE-2026-44294 Overview
CVE-2026-44294 affects protobufjs, a library that compiles Protocol Buffer definitions into JavaScript functions. The vulnerability exists in versions prior to 7.5.6 and 8.0.2. The library generates JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor can cause generated encode, decode, verify, or conversion functions to fail during compilation. The issue is tracked under [CWE-20] Improper Input Validation.
Critical Impact
Attackers supplying crafted protobuf schemas can break code generation in downstream applications, leading to availability loss in services that load untrusted descriptors.
Affected Products
- protobufjs versions prior to 7.5.6 (7.x branch)
- protobufjs versions prior to 8.0.2 (8.x branch)
- Node.js applications consuming untrusted .proto schemas or JSON descriptors via protobufjs
Discovery Timeline
- 2026-05-13 - CVE-2026-44294 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44294
Vulnerability Analysis
The protobufjs library translates Protocol Buffer schemas into JavaScript functions at runtime. During code generation, the library writes field and oneof names directly into the source of encode, decode, verify, and conversion functions. The generator did not escape control characters in these names. When a schema supplied a field name containing characters such as newlines or quotes, the resulting JavaScript source produced syntactically invalid code. Compilation of that generated function then failed, raising an exception in the application thread responsible for loading the schema.
Root Cause
The root cause is improper input validation during template-based code emission. The generator treated schema-controlled identifiers as trusted strings and concatenated them into property accessor expressions. Control characters were preserved verbatim instead of being escaped or rejected. This violates safe code-generation practice when any portion of the schema originates from an untrusted source. The fix in versions 7.5.6 and 8.0.2 adds escaping for control characters before identifiers are inlined into generated function bodies.
Attack Vector
Exploitation requires the target application to load a .proto definition or JSON descriptor from an attacker-controlled source. The attacker crafts a field name or oneof name containing embedded control characters. When the application calls schema-loading APIs such as protobuf.parse or Root.fromJSON, code generation fails. The result is a denial-of-service condition limited to the schema-loading code path. Confidentiality and integrity are not affected. The attack is network-reachable in services that accept remote schema definitions, such as plugin loaders, multi-tenant API gateways, or registries.
Detection Methods for CVE-2026-44294
Indicators of Compromise
- Repeated SyntaxError exceptions thrown from protobufjs code-generation routines such as encode, decode, verify, or toObject.
- Application crashes or 5xx responses correlated with ingestion of externally supplied .proto files or JSON descriptors.
- Protobuf field or oneof names in stored schemas containing non-printable control characters when inspected as raw bytes.
Detection Strategies
- Inventory Node.js services that depend on protobufjs using npm ls protobufjs or software composition analysis tools, and flag any version below 7.5.6 or 8.0.2.
- Add runtime logging around schema-loading entry points to capture descriptor sources and field-name byte patterns.
- Scan stored schema repositories and message catalogs for control characters in field names using regular expressions over identifier fields.
Monitoring Recommendations
- Alert on unhandled SyntaxError exceptions originating from protobufjs modules in production logs.
- Monitor schema ingestion endpoints for elevated error rates following untrusted upload activity.
- Track dependency version drift in CI pipelines to detect downgrades below the patched releases.
How to Mitigate CVE-2026-44294
Immediate Actions Required
- Upgrade protobufjs to 7.5.6 on the 7.x branch or 8.0.2 on the 8.x branch.
- Audit all code paths that load .proto files or JSON descriptors from user input, partners, or third-party registries.
- Reject schemas containing control characters in field or oneof names at the application boundary until the upgrade is deployed.
Patch Information
The maintainers fixed the issue in protobufjs releases 7.5.6 and 8.0.2 by escaping control characters in identifiers before they are embedded in generated function bodies. Refer to the protobufjs GitHub Security Advisory GHSA-2pr8-phx7-x9h3 for the official fix details.
Workarounds
- Restrict schema loading to trusted, signed sources and disallow runtime ingestion of untrusted descriptors.
- Validate field and oneof names against a strict identifier allowlist such as ^[A-Za-z_][A-Za-z0-9_]*$ before passing them to protobufjs.
- Wrap schema-loading calls in error handlers that fail safely without terminating the host process.
# Upgrade protobufjs to a patched version
npm install protobufjs@^8.0.2
# or for the 7.x branch
npm install protobufjs@^7.5.6
# Verify the installed version
npm ls protobufjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
