protobufjs
npm12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting protobufjspage 1 of 1
- CVE-2018-3738MEDIUMCVSS 5.5EG 5.5✓ Fixed in 5.0.32018-06-07
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.
- CVE-2022-25878HIGHCVSS 8.2EG 8.2✓ Fixed in 6.10.32022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to…
- CVE-2023-36665CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.11.42023-07-05
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.proto…
- CVE-2026-41242CRITICALCVSS 9.8EG 9.8✓ Fixed in 7.5.52026-04-18
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding…
- CVE-2026-44288MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters inste…
- CVE-2026-44289HIGHCVSS 7.5EG 7.5✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and gen…
- CVE-2026-44290HIGHCVSS 7.5EG 7.5✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf sc…
- CVE-2026-44291HIGHCVSS 8.1EG 8.1✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Ob…
- CVE-2026-44292MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key…
- CVE-2026-44293HIGHCVSS 8.8EG 8.8✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field defa…
- CVE-2026-44294MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.0.22026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names w…
- CVE-2026-45740MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.2.02026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A cr…
Check whether protobufjs is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for protobufjs CVEs against the assets you own.
Start Free Scan →