Componentpedia / Listings / protobufjs / 6.8.5

Last update: 20/05/2026

protobufjs

Protocol Buffers for JavaScript & TypeScript.

Version: 6.8.5 registry icon
Safety score
-110
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security Risks of Known Vulnerabilities
CVE-2026-44290
CWE-1321
Threat level: HIGH | CVSS score: 7.5

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.


CVE-2026-44288
CWE-176
Threat level: MEDIUM | CVSS score: 5

protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.


CVE-2026-41242
CWE-94
Threat level: CRITICAL | CVSS score: 9.8

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.


CVE-2026-45740
CWE-674
Threat level: HIGH | CVSS score: 7.5

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.


CVE-2022-25878
CWE-1321
Threat level: HIGH | CVSS score: 7.5

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files


CVE-2026-44291
CWE-94
Threat level: HIGH | CVSS score: 8.1

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.


CVE-2018-3738
CWE-185
Threat level: MEDIUM | CVSS score: 5.5

protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.


CVE-2026-44294
CWE-20
Threat level: MEDIUM | CVSS score: 5.3

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.


CVE-2026-44292
CWE-1321
Threat level: MEDIUM | CVSS score: 5.3

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.


CVE-2026-44293
CWE-94
Threat level: HIGH | CVSS score: 8.8

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.


CVE-2026-44289
CWE-674
Threat level: HIGH | CVSS score: 7.5

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.


Please note that this component is affected by other vulnerabilities
Critical  |  High  |  Medium  |  Low  |  Suggest

Latest safe major: 8.4.0 Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stability

Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   6.8.9

Latest minor release:   6.11.6

Latest major release:   8.4.0

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

BSD-3-Clause   -   BSD 3-Clause "New" or "Revised" License

Not a wildcard

Not proprietary

OSI Compliant