Protobufjs — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/protobufjs/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 15:07:49 +0000protobuf.js Code Injection via Crafted Bytes Field Defaults (CVE-2026-44293)https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/Tue, 12 May 2026 15:07:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/protobuf.js is vulnerable to code injection (CVE-2026-44293); by crafting a protobuf descriptor with a non-string default value for a `bytes` field, an attacker can inject arbitrary Javascript code into the generated `toObject` conversion function if default values are enabled, requiring the application to load an attacker-controlled schema and convert a message of the affected type with defaults enabled.protobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1 are vulnerable to code injection (CVE-2026-44293). The vulnerability stems from the way protobuf.js generates JavaScript code for toObject conversion. A malicious actor can craft a protobuf descriptor that contains a bytes field with a default value that is not a string. When the toObject function is generated, this non-string default value is included as an unsafe expression, leading to the injection of attacker-controlled code into the generated function if default values are enabled. This poses a risk when applications load untrusted protobuf schemas or descriptors, allowing for arbitrary JavaScript execution within the application’s context.

Attack Chain

  1. An attacker crafts a malicious protobuf descriptor. This descriptor includes a bytes field that has a non-string default value, such as JavaScript code.
  2. The attacker delivers the malicious protobuf descriptor to a vulnerable application. This could be achieved by hosting the descriptor on a server or sending it directly to the application.
  3. The application loads and parses the attacker-controlled protobuf descriptor, generating code using the protobuf.js library.
  4. During code generation, protobuf.js incorporates the attacker-controlled, non-string default value into the toObject conversion function.
  5. The application calls the toObject function with default values enabled for the affected type.
  6. When the toObject function is executed, the injected JavaScript code from the malicious default value is executed within the application’s process.
  7. The attacker achieves arbitrary JavaScript execution within the context of the application.
  8. The attacker may then leverage this code execution to perform unauthorized actions, such as accessing sensitive data or compromising the system.

Impact

Successful exploitation of this vulnerability (CVE-2026-44293) allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable application using protobuf.js. This could lead to sensitive data exposure, unauthorized access to system resources, or complete system compromise. The impact is especially severe if the application processes untrusted protobuf schemas.

Recommendation

  • Upgrade to protobuf.js version 8.0.2 or later to remediate the vulnerability.
  • Avoid loading protobuf schemas or JSON descriptors from untrusted sources as described in the overview.
  • Validate or restrict field options before loading schemas from untrusted sources, and run schema processing in an isolated environment as described in the workaround section.
  • Deploy the Sigma rule “Detect CVE-2026-44293 Exploitation — Protobuf.js Code Injection” to identify potential exploitation attempts by monitoring for unexpected code execution during protobuf processing.
]]>highadvisorycode-injectionprotobufjsCVE-2026-44293javascript