CVE-2026-44288
Input Validation vulnerability in protobufjs (npm)
What is CVE-2026-44288 About?
This vulnerability in protobufjs's minimal UTF-8 decoder allows it to accept and decode overlong UTF-8 byte sequences and code points outside the Unicode range to their canonical characters. This bypasses application-level checks that inspect raw bytes before protobuf string decoding, potentially leading to security impacts if decoded strings are used in sensitive contexts. The ease of exploitation depends on the application's reliance on byte-level filtering and downstream usage of decoded strings.
Affected Software
- protobufjs
- <7.5.6
- >=8.0.0, <8.0.2
- @protobufjs/utf8
- <1.1.1
Technical Details
The protobufjs library includes a minimal UTF-8 decoder used in non-Node.js and fallback decoding paths. This decoder is flawed in its handling of UTF-8 byte sequences, specifically by accepting 'overlong' encodings and code points that fall outside the valid Unicode range. Instead of treating these as errors or replacing them with a replacement character, the decoder processes them to their canonical characters. This behavior differs from strict UTF-8 validation and allows an attacker to craft protobuf binary data where bytes that would normally be filtered out (e.g., those not containing certain ASCII characters) can decode into strings that do contain those characters. The vulnerability is triggered when protobufjs's minimal decoder is used to process attacker-controlled protobuf binary data, bypassing byte-level security checks and potentially leading to unexpected string content in security-sensitive contexts.
What is the Impact of CVE-2026-44288?
Successful exploitation may allow attackers to bypass application-level byte filtering, potentially leading to unintended string content in security-sensitive contexts and subsequent vulnerabilities.
What is the Exploitability of CVE-2026-44288?
Exploitation requires an application to decode attacker-influenced protobuf binary data through protobufjs's minimal UTF-8 decoder, rather than a native UTF-8 decoder. Furthermore, the application must rely on byte-level filtering or validation before protobuf string decoding, and the decoded string must then be used in a security-sensitive context. Therefore, direct exploitation is complex and highly dependent on the specific application's validation logic and how it processes and utilizes string data after decoding, making it difficult to exploit if robust validation exists post-decoding.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44288?
Available Upgrade Options
- @protobufjs/utf8
- <1.1.1 → Upgrade to 1.1.1
- protobufjs
- <7.5.6 → Upgrade to 7.5.6
- protobufjs
- >=8.0.0, <8.0.2 → Upgrade to 8.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf
- https://osv.dev/vulnerability/GHSA-q6x5-8v7m-xcrf
- https://github.com/protobufjs/protobuf.js
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf
What are Similar Vulnerabilities to CVE-2026-44288?
Similar Vulnerabilities: CVE-2021-42574 , CVE-2020-13778 , CVE-2019-1010307 , CVE-2018-12502 , CVE-2014-0466
