CVE-2026-54269

EPSS 0.24%
Veröffentlicht 22.06.2026 16:23:24
Zuletzt bearbeitet 24.06.2026 20:40:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

protobufjs: Schema-derived names can shadow runtime-significant properties

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

NVD 4 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version < 7.6.3

Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version >= 8.0.0 < 8.6.0

Protobufjs Project ≫ Protobufjs-cli SwPlatformnode.js Version < 1.3.3

Protobufjs Project ≫ Protobufjs-cli SwPlatformnode.js Version >= 2.0.0 < 2.5.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.145

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-54269

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-54269

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-54269

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-54269