CVE-2026-54269: protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names th...

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.24%

14.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Protobufjs Project	Protobufjs	< 7.6.3
Protobufjs Project	Protobufjs	>= 8.0.0, < 8.6.0
Protobufjs Project	Protobufjs-Cli	< 1.3.3
Protobufjs Project	Protobufjs-Cli	>= 2.0.0, < 2.5.1

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7Vendor Advisory

Timeline

Published: Jun 22, 2026
Last Modified: Jun 24, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-54269?

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

How severe is CVE-2026-54269?

CVE-2026-54269 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.

How do I fix CVE-2026-54269?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.