5.3
CVE-2026-44294
- EPSS 0.43%
- Veröffentlicht 13.05.2026 14:44:30
- Zuletzt bearbeitet 13.05.2026 20:55:23
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginprotobufjs: Denial of service from crafted field names in generated code
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version < 7.5.6
Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version >= 8.0.0 < 8.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.43% | 0.343 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-2pr8-phx7-x9h3