{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/protobufjs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs"],"_cs_severities":["high"],"_cs_tags":["code-injection","protobufjs","CVE-2026-44293","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eprotobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1 are vulnerable to code injection (CVE-2026-44293). The vulnerability stems from the way protobuf.js generates JavaScript code for \u003ccode\u003etoObject\u003c/code\u003e conversion. A malicious actor can craft a protobuf descriptor that contains a \u003ccode\u003ebytes\u003c/code\u003e field with a default value that is not a string. When the \u003ccode\u003etoObject\u003c/code\u003e function is generated, this non-string default value is included as an unsafe expression, leading to the injection of attacker-controlled code into the generated function if default values are enabled. This poses a risk when applications load untrusted protobuf schemas or descriptors, allowing for arbitrary JavaScript execution within the application\u0026rsquo;s context.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious protobuf descriptor. This descriptor includes a \u003ccode\u003ebytes\u003c/code\u003e field that has a non-string default value, such as JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious protobuf descriptor to a vulnerable application. This could be achieved by hosting the descriptor on a server or sending it directly to the application.\u003c/li\u003e\n\u003cli\u003eThe application loads and parses the attacker-controlled protobuf descriptor, generating code using the protobuf.js library.\u003c/li\u003e\n\u003cli\u003eDuring code generation, protobuf.js incorporates the attacker-controlled, non-string default value into the \u003ccode\u003etoObject\u003c/code\u003e conversion function.\u003c/li\u003e\n\u003cli\u003eThe application calls the \u003ccode\u003etoObject\u003c/code\u003e function with default values enabled for the affected type.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003etoObject\u003c/code\u003e function is executed, the injected JavaScript code from the malicious default value is executed within the application\u0026rsquo;s process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary JavaScript execution within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker may then leverage this code execution to perform unauthorized actions, such as accessing sensitive data or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44293) allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable application using protobuf.js. This could lead to sensitive data exposure, unauthorized access to system resources, or complete system compromise. The impact is especially severe if the application processes untrusted protobuf schemas.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to protobuf.js version 8.0.2 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eAvoid loading protobuf schemas or JSON descriptors from untrusted sources as described in the overview.\u003c/li\u003e\n\u003cli\u003eValidate or restrict field options before loading schemas from untrusted sources, and run schema processing in an isolated environment as described in the workaround section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-44293 Exploitation — Protobuf.js Code Injection\u0026rdquo; to identify potential exploitation attempts by monitoring for unexpected code execution during protobuf processing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:07:49Z","date_published":"2026-05-12T15:07:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/","summary":"protobuf.js is vulnerable to code injection (CVE-2026-44293); by crafting a protobuf descriptor with a non-string default value for a `bytes` field, an attacker can inject arbitrary Javascript code into the generated `toObject` conversion function if default values are enabled, requiring the application to load an attacker-controlled schema and convert a message of the affected type with defaults enabled.","title":"protobuf.js Code Injection via Crafted Bytes Field Defaults (CVE-2026-44293)","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Protobufjs","version":"https://jsonfeed.org/version/1.1"}