SecuriTricks - CVE-2026-44288

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.

Product(s) Impacted

Vendor	Product	Versions
Protobufjs	Protobufjs	7.5.6, 8.0.2, *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-176

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	protobufjs	protobufjs	7.5.6	/	/	/	/	/	/	/
a	protobufjs	protobufjs	8.0.2	/	/	/	/	/	/	/
a	protobufjs	protobufjs	/	/	/	/	/	/	/	/

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

View Vector String

Timeline

Published: May 13, 2026, 4:16 p.m.
Last Modified: May 13, 2026, 5:01 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

CVE-2026-44288