THREATOPS
THREAT OPSThreat News › [NVD] CVE-2026-44289 (HIGH 7.5) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

[NVD] CVE-2026-44289 (HIGH 7.5) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

lownvdPublished 2026-05-13

CVE-2026-44289 CVSS: 7.5 HIGH Published: 2026-05-13T16:16:55.713

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the Jav

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44289