CVE-2026-44291: protobuf.js: Code generation gadget after prototype pollution

May 12, 2026 (updated May 14, 2026)

protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.

This could cause attacker-controlled strings to be emitted into generated JavaScript code.

References

github.com/advisories/GHSA-75px-5xx7-5xc7
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7
nvd.nist.gov/vuln/detail/CVE-2026-44291

Code Behaviors & Features

Detect and mitigate CVE-2026-44291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →