216.73.216.233

CVE-2026-44288

· Published 13/05/2026 16:16 · Modified 13/05/2026 17:01

Labels: CVE-2026-44288 2026-05-13CVE-2026-44288CWE-176[email protected]

Essential information

Published
13/05/2026 16:16
Modified
13/05/2026 17:01
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.

NVD status

Status
Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
protobufjs / protobufjs cpe:2.3:a:protobufjs:protobufjs:7.5.6:*:*:*:*:*:*:*
protobufjs / protobufjs cpe:2.3:a:protobufjs:protobufjs:8.0.2:*:*:*:*:*:*:*
protobufjs / protobufjs cpe:2.3:a:protobufjs:protobufjs:*:*:*:*:*:*:*:*

References