{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/protobufjs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs"],"_cs_severities":["high"],"_cs_tags":["code-injection","protobufjs","CVE-2026-44293","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eprotobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1 are vulnerable to code injection (CVE-2026-44293). The vulnerability stems from the way protobuf.js generates JavaScript code for \u003ccode\u003etoObject\u003c/code\u003e conversion. A malicious actor can craft a protobuf descriptor that contains a \u003ccode\u003ebytes\u003c/code\u003e field with a default value that is not a string. When the \u003ccode\u003etoObject\u003c/code\u003e function is generated, this non-string default value is included as an unsafe expression, leading to the injection of attacker-controlled code into the generated function if default values are enabled. This poses a risk when applications load untrusted protobuf schemas or descriptors, allowing for arbitrary JavaScript execution within the application\u0026rsquo;s context.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious protobuf descriptor. This descriptor includes a \u003ccode\u003ebytes\u003c/code\u003e field that has a non-string default value, such as JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious protobuf descriptor to a vulnerable application. This could be achieved by hosting the descriptor on a server or sending it directly to the application.\u003c/li\u003e\n\u003cli\u003eThe application loads and parses the attacker-controlled protobuf descriptor, generating code using the protobuf.js library.\u003c/li\u003e\n\u003cli\u003eDuring code generation, protobuf.js incorporates the attacker-controlled, non-string default value into the \u003ccode\u003etoObject\u003c/code\u003e conversion function.\u003c/li\u003e\n\u003cli\u003eThe application calls the \u003ccode\u003etoObject\u003c/code\u003e function with default values enabled for the affected type.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003etoObject\u003c/code\u003e function is executed, the injected JavaScript code from the malicious default value is executed within the application\u0026rsquo;s process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary JavaScript execution within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker may then leverage this code execution to perform unauthorized actions, such as accessing sensitive data or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44293) allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable application using protobuf.js. This could lead to sensitive data exposure, unauthorized access to system resources, or complete system compromise. The impact is especially severe if the application processes untrusted protobuf schemas.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to protobuf.js version 8.0.2 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eAvoid loading protobuf schemas or JSON descriptors from untrusted sources as described in the overview.\u003c/li\u003e\n\u003cli\u003eValidate or restrict field options before loading schemas from untrusted sources, and run schema processing in an isolated environment as described in the workaround section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-44293 Exploitation — Protobuf.js Code Injection\u0026rdquo; to identify potential exploitation attempts by monitoring for unexpected code execution during protobuf processing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:07:49Z","date_published":"2026-05-12T15:07:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/","summary":"protobuf.js is vulnerable to code injection (CVE-2026-44293); by crafting a protobuf descriptor with a non-string default value for a `bytes` field, an attacker can inject arbitrary Javascript code into the generated `toObject` conversion function if default values are enabled, requiring the application to load an attacker-controlled schema and convert a message of the affected type with defaults enabled.","title":"protobuf.js Code Injection via Crafted Bytes Field Defaults (CVE-2026-44293)","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs (\u003c= 7.5.5)","protobufjs (\u003e= 8.0.0, \u003c= 8.0.1)"],"_cs_severities":["high"],"_cs_tags":["denial of service","protobufjs","CVE-2026-44289"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eprotobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1, are susceptible to a denial-of-service vulnerability (CVE-2026-44289) due to unbounded recursion during the decoding of nested protobuf data. This vulnerability is triggered when the decoder encounters deeply nested structures, either through unknown group fields or nested message fields. An attacker can exploit this by crafting a malicious protobuf binary payload that, when processed by an application using a vulnerable version of protobuf.js, causes the JavaScript call stack to be exhausted. This stack exhaustion leads to a process crash or decoding failure due to a stack overflow. This vulnerability poses a risk to applications that decode untrusted protobuf binary input, potentially disrupting service availability and requiring process restarts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious protobuf binary payload. This payload contains excessively nested protobuf structures.\u003c/li\u003e\n\u003cli\u003eThe application receives the crafted protobuf binary payload as input. This input may originate from a network request, file upload, or other data source.\u003c/li\u003e\n\u003cli\u003eThe application uses a vulnerable version of protobuf.js (\u0026lt;= 7.5.5 or \u0026gt;= 8.0.0 and \u0026lt;= 8.0.1) to decode the protobuf binary data.\u003c/li\u003e\n\u003cli\u003eDuring decoding, the protobuf.js library recursively processes the nested structures within the payload.\u003c/li\u003e\n\u003cli\u003eDue to the excessive nesting, the JavaScript call stack grows without bound. The recursion occurs when either skipping unknown group fields or decoding nested message fields.\u003c/li\u003e\n\u003cli\u003eThe JavaScript call stack reaches its limit, resulting in a stack overflow error.\u003c/li\u003e\n\u003cli\u003eThe application process terminates abruptly due to the unhandled exception.\u003c/li\u003e\n\u003cli\u003eThe application becomes unavailable, leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44289) leads to a denial-of-service condition, where the application processing the crafted protobuf data crashes or becomes unresponsive. The impact depends on the role of the affected application; a crash in a critical service can disrupt operations, while a crash in a less critical component may only cause temporary inconvenience. The number of affected applications depends on the adoption of vulnerable protobuf.js versions and the prevalence of untrusted protobuf data processing. The attack can cause loss of service availability and potential data integrity issues if decoding is interrupted mid-process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade protobuf.js to the latest version to patch CVE-2026-44289.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement input validation to reject excessively nested protobuf messages at the application layer.\u003c/li\u003e\n\u003cli\u003eConsider isolating protobuf decoding within a sandboxed process that can be safely restarted to mitigate the impact of crashes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect protobuf.js Excessive Recursion Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring process resource consumption.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:05:31Z","date_published":"2026-05-12T15:05:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/","summary":"protobuf.js is vulnerable to a denial-of-service (DoS) attack (CVE-2026-44289) due to unbounded recursion while decoding nested protobuf data, potentially leading to stack exhaustion and process crashes when processing crafted protobuf binary payloads.","title":"protobuf.js Denial-of-Service Vulnerability via Unbounded Recursion (CVE-2026-44289)","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs-cli (\u003c= 1.2.0)","protobufjs-cli (\u003e= 2.0.0, \u003c= 2.0.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","protobufjs","cli","execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003epbts\u003c/code\u003e command-line tool in protobuf.js is susceptible to OS command injection due to its construction of shell command strings from input file paths when invoking JSDoc. This occurs because file paths containing shell metacharacters are interpreted by the shell rather than being treated as plain arguments by JSDoc. This vulnerability exists in protobufjs-cli versions 1.2.0 and earlier, as well as versions 2.0.0 through 2.0.1. Successful exploitation allows an attacker to execute arbitrary shell commands within the context of the \u003ccode\u003epbts\u003c/code\u003e process. It is important to note that this issue specifically affects the CLI tooling path; the protobuf.js runtime APIs for encoding, decoding, parsing, and loading protobuf messages remain unaffected. Defenders should focus on monitoring and restricting the usage of \u003ccode\u003epbts\u003c/code\u003e with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over filenames or paths that will be processed by \u003ccode\u003epbts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious filename or path containing shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u003c/code\u003e, \u003ccode\u003e$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user or application invokes the vulnerable \u003ccode\u003epbts\u003c/code\u003e command, passing the attacker-controlled path as an argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epbts\u003c/code\u003e constructs a shell command string that includes the malicious path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epbts\u003c/code\u003e executes the generated command string using \u003ccode\u003echild_process.exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell interprets the metacharacters in the malicious path, leading to the execution of arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution with the privileges of the \u003ccode\u003epbts\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-42290) enables an attacker to execute arbitrary shell commands with the privileges of the process running \u003ccode\u003epbts\u003c/code\u003e. This could lead to complete system compromise, data theft, or other malicious activities. The vulnerable component is the command line tool. The number of potential victims depends on the prevalence of vulnerable protobufjs-cli versions and the degree to which \u003ccode\u003epbts\u003c/code\u003e is used with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eprotobufjs-cli\u003c/code\u003e that addresses CVE-2026-42290.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize or rename input files before invoking \u003ccode\u003epbts\u003c/code\u003e, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement process monitoring to detect suspicious command execution originating from \u003ccode\u003epbts\u003c/code\u003e processes, using the process_creation rules provided.\u003c/li\u003e\n\u003cli\u003eRun the \u003ccode\u003epbts\u003c/code\u003e CLI in an isolated environment with minimal privileges to limit the impact of potential command injection attacks, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:00:54Z","date_published":"2026-05-12T15:00:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/","summary":"The protobuf.js CLI tool `pbts` is vulnerable to OS command injection via crafted filenames or paths with shell metacharacters, potentially leading to arbitrary command execution with the privileges of the `pbts` process when invoked on attacker-influenced file paths; CVE-2026-42290.","title":"protobuf.js CLI pbts Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Protobufjs","version":"https://jsonfeed.org/version/1.1"}