https://feed.craftedsignal.io/products/protobufjs--7.5.5/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 15:05:31 +0000https://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/Tue, 12 May 2026 15:05:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/protobuf.js is vulnerable to a denial-of-service (DoS) attack (CVE-2026-44289) due to unbounded recursion while decoding nested protobuf data, potentially leading to stack exhaustion and process crashes when processing crafted protobuf binary payloads.protobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1, are susceptible to a denial-of-service vulnerability (CVE-2026-44289) due to unbounded recursion during the decoding of nested protobuf data. This vulnerability is triggered when the decoder encounters deeply nested structures, either through unknown group fields or nested message fields. An attacker can exploit this by crafting a malicious protobuf binary payload that, when processed by an application using a vulnerable version of protobuf.js, causes the JavaScript call stack to be exhausted. This stack exhaustion leads to a process crash or decoding failure due to a stack overflow. This vulnerability poses a risk to applications that decode untrusted protobuf binary input, potentially disrupting service availability and requiring process restarts.

Attack Chain

1. The attacker crafts a malicious protobuf binary payload. This payload contains excessively nested protobuf structures.
2. The application receives the crafted protobuf binary payload as input. This input may originate from a network request, file upload, or other data source.
3. The application uses a vulnerable version of protobuf.js (<= 7.5.5 or >= 8.0.0 and <= 8.0.1) to decode the protobuf binary data.
4. During decoding, the protobuf.js library recursively processes the nested structures within the payload.
5. Due to the excessive nesting, the JavaScript call stack grows without bound. The recursion occurs when either skipping unknown group fields or decoding nested message fields.
6. The JavaScript call stack reaches its limit, resulting in a stack overflow error.
7. The application process terminates abruptly due to the unhandled exception.
8. The application becomes unavailable, leading to a denial-of-service condition.

Impact

Successful exploitation of this vulnerability (CVE-2026-44289) leads to a denial-of-service condition, where the application processing the crafted protobuf data crashes or becomes unresponsive. The impact depends on the role of the affected application; a crash in a critical service can disrupt operations, while a crash in a less critical component may only cause temporary inconvenience. The number of affected applications depends on the adoption of vulnerable protobuf.js versions and the prevalence of untrusted protobuf data processing. The attack can cause loss of service availability and potential data integrity issues if decoding is interrupted mid-process.

Recommendation

• Upgrade protobuf.js to the latest version to patch CVE-2026-44289.
• If upgrading is not immediately feasible, implement input validation to reject excessively nested protobuf messages at the application layer.
• Consider isolating protobuf decoding within a sandboxed process that can be safely restarted to mitigate the impact of crashes.
• Deploy the Sigma rule “Detect protobuf.js Excessive Recursion Attempt” to identify potential exploitation attempts by monitoring process resource consumption.

]]>highadvisorydenial of serviceprotobufjsCVE-2026-44289https://feed.craftedsignal.io/briefs/2026-05-protobufjs-prototype-pollution/Tue, 12 May 2026 15:02:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-prototype-pollution/protobufjs versions 7.5.5 and earlier, as well as versions 8.0.0 through 8.0.1, are vulnerable to arbitrary JavaScript execution if Object.prototype has been polluted, allowing attackers to influence generated encode/decode functions.The protobuf.js library, a JavaScript implementation of Protocol Buffers, is susceptible to a code generation gadget vulnerability (CVE-2026-44291). Specifically, versions 7.5.5 and earlier, as well as versions 8.0.0 through 8.0.1, utilize plain objects with inherited prototypes for internal type lookup tables. If an attacker can first pollute the Object.prototype, they can inject attacker-controlled strings into generated JavaScript code via protobufjs encode or decode functions. This occurs because the lookup tables can resolve attacker-controlled inherited properties as valid protobuf type information. Exploitation necessitates a separate prototype pollution primitive and requires the application to use protobufjs functionality that generates code for affected types. This issue poses a significant risk in environments where untrusted input can influence the Object.prototype.

Attack Chain

1. An attacker identifies a prototype pollution vulnerability within the application or one of its dependencies.
2. The attacker leverages the prototype pollution vulnerability to inject malicious properties into Object.prototype.
3. The injected properties are crafted to influence protobufjs’s internal type lookup tables.
4. The application invokes protobufjs functionality to generate encode or decode functions for protobuf messages.
5. Due to the prototype pollution, the generated code includes attacker-controlled strings, leading to unexpected behavior.
6. The generated code is executed within the application’s context.
7. The attacker-controlled strings in the generated code are interpreted as JavaScript code.
8. This leads to arbitrary JavaScript execution within the application, potentially allowing the attacker to compromise the system.

Impact

Successful exploitation allows attackers to achieve arbitrary JavaScript execution within the context of the affected application. This could lead to complete compromise of the application and potentially the underlying system. The severity of the impact is high, as it allows for remote code execution (RCE). There is no information about specific victim counts or sectors targeted available at this time.

Recommendation

• Upgrade protobufjs to a patched version (later than 7.5.5 or 8.0.1) to remediate CVE-2026-44291.
• Review and mitigate any potential prototype pollution vulnerabilities in your application or its dependencies as mentioned in the overview.
• Deploy the Sigma rule “Detect Prototype Pollution Attempts via Object.prototype Modification” to identify potential prototype pollution attacks targeting Object.prototype.
• If immediate upgrade is not possible, isolate schema/message processing from untrusted application state.

]]>highadvisoryprototype-pollutioncode-generationjavascript