https://feed.craftedsignal.io/tags/protobufjs/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 15:07:49 +0000https://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/Tue, 12 May 2026 15:07:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-code-injection/protobuf.js is vulnerable to code injection (CVE-2026-44293); by crafting a protobuf descriptor with a non-string default value for a `bytes` field, an attacker can inject arbitrary Javascript code into the generated `toObject` conversion function if default values are enabled, requiring the application to load an attacker-controlled schema and convert a message of the affected type with defaults enabled.protobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1 are vulnerable to code injection (CVE-2026-44293). The vulnerability stems from the way protobuf.js generates JavaScript code for toObject conversion. A malicious actor can craft a protobuf descriptor that contains a bytes field with a default value that is not a string. When the toObject function is generated, this non-string default value is included as an unsafe expression, leading to the injection of attacker-controlled code into the generated function if default values are enabled. This poses a risk when applications load untrusted protobuf schemas or descriptors, allowing for arbitrary JavaScript execution within the application’s context.

Attack Chain

1. An attacker crafts a malicious protobuf descriptor. This descriptor includes a bytes field that has a non-string default value, such as JavaScript code.
2. The attacker delivers the malicious protobuf descriptor to a vulnerable application. This could be achieved by hosting the descriptor on a server or sending it directly to the application.
3. The application loads and parses the attacker-controlled protobuf descriptor, generating code using the protobuf.js library.
4. During code generation, protobuf.js incorporates the attacker-controlled, non-string default value into the toObject conversion function.
5. The application calls the toObject function with default values enabled for the affected type.
6. When the toObject function is executed, the injected JavaScript code from the malicious default value is executed within the application’s process.
7. The attacker achieves arbitrary JavaScript execution within the context of the application.
8. The attacker may then leverage this code execution to perform unauthorized actions, such as accessing sensitive data or compromising the system.

Impact

Successful exploitation of this vulnerability (CVE-2026-44293) allows an attacker to execute arbitrary JavaScript code within the context of a vulnerable application using protobuf.js. This could lead to sensitive data exposure, unauthorized access to system resources, or complete system compromise. The impact is especially severe if the application processes untrusted protobuf schemas.

Recommendation

• Upgrade to protobuf.js version 8.0.2 or later to remediate the vulnerability.
• Avoid loading protobuf schemas or JSON descriptors from untrusted sources as described in the overview.
• Validate or restrict field options before loading schemas from untrusted sources, and run schema processing in an isolated environment as described in the workaround section.
• Deploy the Sigma rule “Detect CVE-2026-44293 Exploitation — Protobuf.js Code Injection” to identify potential exploitation attempts by monitoring for unexpected code execution during protobuf processing.

]]>highadvisorycode-injectionprotobufjsCVE-2026-44293javascripthttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/Tue, 12 May 2026 15:05:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/protobuf.js is vulnerable to a denial-of-service (DoS) attack (CVE-2026-44289) due to unbounded recursion while decoding nested protobuf data, potentially leading to stack exhaustion and process crashes when processing crafted protobuf binary payloads.protobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1, are susceptible to a denial-of-service vulnerability (CVE-2026-44289) due to unbounded recursion during the decoding of nested protobuf data. This vulnerability is triggered when the decoder encounters deeply nested structures, either through unknown group fields or nested message fields. An attacker can exploit this by crafting a malicious protobuf binary payload that, when processed by an application using a vulnerable version of protobuf.js, causes the JavaScript call stack to be exhausted. This stack exhaustion leads to a process crash or decoding failure due to a stack overflow. This vulnerability poses a risk to applications that decode untrusted protobuf binary input, potentially disrupting service availability and requiring process restarts.

Attack Chain

1. The attacker crafts a malicious protobuf binary payload. This payload contains excessively nested protobuf structures.
2. The application receives the crafted protobuf binary payload as input. This input may originate from a network request, file upload, or other data source.
3. The application uses a vulnerable version of protobuf.js (<= 7.5.5 or >= 8.0.0 and <= 8.0.1) to decode the protobuf binary data.
4. During decoding, the protobuf.js library recursively processes the nested structures within the payload.
5. Due to the excessive nesting, the JavaScript call stack grows without bound. The recursion occurs when either skipping unknown group fields or decoding nested message fields.
6. The JavaScript call stack reaches its limit, resulting in a stack overflow error.
7. The application process terminates abruptly due to the unhandled exception.
8. The application becomes unavailable, leading to a denial-of-service condition.

Impact

Successful exploitation of this vulnerability (CVE-2026-44289) leads to a denial-of-service condition, where the application processing the crafted protobuf data crashes or becomes unresponsive. The impact depends on the role of the affected application; a crash in a critical service can disrupt operations, while a crash in a less critical component may only cause temporary inconvenience. The number of affected applications depends on the adoption of vulnerable protobuf.js versions and the prevalence of untrusted protobuf data processing. The attack can cause loss of service availability and potential data integrity issues if decoding is interrupted mid-process.

Recommendation

• Upgrade protobuf.js to the latest version to patch CVE-2026-44289.
• If upgrading is not immediately feasible, implement input validation to reject excessively nested protobuf messages at the application layer.
• Consider isolating protobuf decoding within a sandboxed process that can be safely restarted to mitigate the impact of crashes.
• Deploy the Sigma rule “Detect protobuf.js Excessive Recursion Attempt” to identify potential exploitation attempts by monitoring process resource consumption.

]]>highadvisorydenial of serviceprotobufjsCVE-2026-44289https://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/Tue, 12 May 2026 15:00:54 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/The protobuf.js CLI tool `pbts` is vulnerable to OS command injection via crafted filenames or paths with shell metacharacters, potentially leading to arbitrary command execution with the privileges of the `pbts` process when invoked on attacker-influenced file paths; CVE-2026-42290.The pbts command-line tool in protobuf.js is susceptible to OS command injection due to its construction of shell command strings from input file paths when invoking JSDoc. This occurs because file paths containing shell metacharacters are interpreted by the shell rather than being treated as plain arguments by JSDoc. This vulnerability exists in protobufjs-cli versions 1.2.0 and earlier, as well as versions 2.0.0 through 2.0.1. Successful exploitation allows an attacker to execute arbitrary shell commands within the context of the pbts process. It is important to note that this issue specifically affects the CLI tooling path; the protobuf.js runtime APIs for encoding, decoding, parsing, and loading protobuf messages remain unaffected. Defenders should focus on monitoring and restricting the usage of pbts with untrusted input.

Attack Chain

1. An attacker gains control over filenames or paths that will be processed by pbts.
2. The attacker crafts a malicious filename or path containing shell metacharacters (e.g., ;, |, &, $).
3. A user or application invokes the vulnerable pbts command, passing the attacker-controlled path as an argument.
4. pbts constructs a shell command string that includes the malicious path.
5. pbts executes the generated command string using child_process.exec.
6. The shell interprets the metacharacters in the malicious path, leading to the execution of arbitrary commands.
7. The attacker achieves arbitrary command execution with the privileges of the pbts process.
8. The attacker can then perform malicious activities such as data exfiltration, system compromise, or denial of service.

Impact

Successful exploitation of this vulnerability (CVE-2026-42290) enables an attacker to execute arbitrary shell commands with the privileges of the process running pbts. This could lead to complete system compromise, data theft, or other malicious activities. The vulnerable component is the command line tool. The number of potential victims depends on the prevalence of vulnerable protobufjs-cli versions and the degree to which pbts is used with untrusted input.

Recommendation

• Upgrade to a patched version of protobufjs-cli that addresses CVE-2026-42290.
• If upgrading is not immediately feasible, sanitize or rename input files before invoking pbts, as described in the advisory.
• Implement process monitoring to detect suspicious command execution originating from pbts processes, using the process_creation rules provided.
• Run the pbts CLI in an isolated environment with minimal privileges to limit the impact of potential command injection attacks, as described in the advisory.

]]>highadvisorycommand-injectionprotobufjscliexecution