CVE-2026-44292
protobuf.js: Prototype injection in generated message constructors
Description
## Summary protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the `__proto__` key. If an application constructed a message from an attacker-controlled plain object, an own enumerable `__proto__` property could alter the prototype of that individual message instance. ## Impact An attacker who can control the properties object passed to a generated protobufjs message constructor or creation helper may be able to modify the prototype chain of the resulting message instance. This is a per-instance prototype injection issue. It does not pollute `Object.prototype` or other global prototypes. The impact depends on downstream application behavior, such as relying on inherited properties, prototype methods, or `instanceof` checks for message objects. Applications that only decode binary protobuf data, or that construct messages from trusted application-defined objects, are not directly affected by this issue. ## Preconditions - The application must allow an attacker to control or influence a plain object used to construct a protobufjs message. - The object must contain an own enumerable `__proto__` property, for example from parsed JSON input. - The application must pass that object to a generated message constructor or creation helper that copies arbitrary enumerable properties. ## Workarounds Do not pass attacker-controlled plain objects directly to generated message constructors with affected versions. If untrusted JSON input must be accepted, validate or sanitize object keys before constructing messages, and reject `__proto__` properties.
How to fix CVE-2026-44292
To remediate CVE-2026-44292, upgrade the affected package to a fixed version below.
- —upgrade to 7.5.6 or later
Is CVE-2026-44292 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.