CVE-2026-44291
protobuf.js: Code generation gadget after prototype pollution
Description
Summary
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.
This could cause attacker-controlled strings to be emitted into generated JavaScript code.
Impact
An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.
This issue requires a separate prototype pollution primitive before protobufjs is invoked.
Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.
Preconditions
- The application or one of its dependencies must allow an attacker to pollute
Object.prototype. - The polluted property must affect protobufjs internal type lookup behavior.
- The application must use protobufjs functionality that generates encode or decode code for affected types.
- The generated code path must be reached after the prototype pollution has occurred.
Workarounds
Avoid running affected versions in applications where attacker-controlled input can pollute Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
Patch Available
Fix available through Seal Security.
No upgrade required, protect your application instantly.
