5.3

CVE-2026-44288

EPSS 0.3%
Veröffentlicht 13.05.2026 14:37:26
Zuletzt bearbeitet 19.05.2026 20:46:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

protobufjs: Overlong UTF-8 decoding

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version < 7.5.6

Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version >= 8.0.0 < 8.0.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.215

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-176 Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-44288

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-44288

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-44288

EUVD