THREAT OPS › Threat News › [NVD] CVE-2026-44289 (HIGH 7.5) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
[NVD] CVE-2026-44289 (HIGH 7.5) — protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
CVE-2026-44289 CVSS: 7.5 HIGH Published: 2026-05-13T16:16:55.713
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the Jav
MITRE ATT&CK techniques
- JavaScriptT1059.007
Indicators of compromise
- CVE-2026-44289cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44289