CVE-2026-44294
protobuf.js: Denial of service from crafted field names in generated code
Description
## Summary protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. ## Impact An attacker who can provide or influence a protobuf schema or JSON descriptor may be able to make affected message types unusable by causing protobufjs runtime code generation to throw a syntax error. This is a denial of service issue for applications that load untrusted schemas or descriptors. Applications that only use trusted, application-defined schemas are not directly affected by this issue. The issue is not known to allow code execution by itself. ## Preconditions - The application must allow an attacker to control or influence a protobuf schema or JSON descriptor. - The crafted input must define a field name containing control characters that reach generated JavaScript property access. - The application must perform an operation that triggers protobufjs code generation for the affected type, such as encode, decode, verify, `fromObject`, or `toObject`. ## Workarounds Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate field names before loading them and reject names containing control characters.
How to fix CVE-2026-44294
To remediate CVE-2026-44294, upgrade the affected package to a fixed version below.
- —upgrade to 7.5.6 or later
Is CVE-2026-44294 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 7.5.6