CVE-2026-44291
protobuf.js: Code generation gadget after prototype pollution
Description
## Summary protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. ## Impact An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution. This issue requires a separate prototype pollution primitive before protobufjs is invoked. Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone. ## Preconditions - The application or one of its dependencies must allow an attacker to pollute `Object.prototype`. - The polluted property must affect protobufjs internal type lookup behavior. - The application must use protobufjs functionality that generates encode or decode code for affected types. - The generated code path must be reached after the prototype pollution has occurred. ## Workarounds Avoid running affected versions in applications where attacker-controlled input can pollute `Object.prototype`. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
How to fix CVE-2026-44291
To remediate CVE-2026-44291, upgrade the affected package to a fixed version below.
- —upgrade to 7.5.6 or later
Is CVE-2026-44291 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 7.5.6