Vulnerability Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Protobufjs Project | Protobufjs | < 7.5.6 |
Related Weaknesses (CWE)
References
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9hMitigationVendor Advisory
FAQ
What is CVE-2026-44294?
CVE-2026-44294 is a vulnerability with a CVSS score of 5.3 (MEDIUM). protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Cert...
How severe is CVE-2026-44294?
CVE-2026-44294 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-44294?
Check the references section above for vendor advisories and patch information. Affected products include: Protobufjs Project Protobufjs.