CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

Database specific

{
    "cwe_ids": [
        "CWE-674",
        "CWE-754"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54269.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type

GIT

Repo

https://github.com/protobufjs/protobuf.js

Events

Introduced

Fixed

1d3796d7d29830c73eec792ccbe769be6aa020ac

Introduced

933e8750dcd000c16a621a7344a4beaa034c4019

Fixed

8631d9b8aaad5d686cc7f374f143f3872f55e9cd

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.6.3"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.6.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

6.2.1

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.5.0

6.5.1

6.5.2

6.5.3

6.6.0

6.6.1

6.6.2

6.6.3

6.6.4

6.6.5

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.8.2

6.8.3

6.8.4

6.8.5

6.8.6

6.8.7

6.8.8

aspromise-v1.*

aspromise-v1.1.2

base64-v1.*

base64-v1.1.2

codegen-v2.*

codegen-v2.0.5

eventemitter-v1.*

eventemitter-v1.1.1

fetch-v1.*

fetch-v1.1.1

float-v1.*

float-v1.0.2

inquire-v1.*

inquire-v1.1.2

path-v1.*

path-v1.1.2

pool-v1.*

pool-v1.1.0

protobufjs-cli-v1.*

protobufjs-cli-v1.0.0

protobufjs-cli-v1.0.1

protobufjs-cli-v1.0.2

protobufjs-cli-v1.1.0

protobufjs-cli-v1.1.1

protobufjs-cli-v1.1.2

protobufjs-cli-v1.1.3

protobufjs-cli-v1.1.4

protobufjs-cli-v1.2.0

protobufjs-cli-v1.2.1

protobufjs-cli-v1.2.2

protobufjs-cli-v1.3.0

protobufjs-cli-v1.3.1

protobufjs-cli-v1.3.2

protobufjs-cli-v2.*

protobufjs-cli-v2.0.0

protobufjs-cli-v2.0.1

protobufjs-cli-v2.0.2

protobufjs-cli-v2.0.3

protobufjs-cli-v2.2.0

protobufjs-cli-v2.2.1

protobufjs-cli-v2.3.0

protobufjs-cli-v2.4.0

protobufjs-cli-v2.4.1

protobufjs-cli-v2.4.2

protobufjs-cli-v2.5.0

protobufjs-v7.*

protobufjs-v7.0.0

protobufjs-v7.1.0

protobufjs-v7.1.1

protobufjs-v7.1.2

protobufjs-v7.2.0

protobufjs-v7.2.1

protobufjs-v7.2.2

protobufjs-v7.2.3

protobufjs-v7.2.4

protobufjs-v7.2.5

protobufjs-v7.2.6

protobufjs-v7.3.0

protobufjs-v7.3.1

protobufjs-v7.3.2

protobufjs-v7.3.3

protobufjs-v7.4.0

protobufjs-v7.5.0

protobufjs-v7.5.1

protobufjs-v7.5.2

protobufjs-v7.5.3

protobufjs-v7.5.4

protobufjs-v7.5.5

protobufjs-v7.5.6

protobufjs-v7.5.7

protobufjs-v7.5.8

protobufjs-v7.5.9

protobufjs-v7.6.0

protobufjs-v7.6.1

protobufjs-v7.6.2

protobufjs-v8.*

protobufjs-v8.0.0

protobufjs-v8.0.1

protobufjs-v8.0.2

protobufjs-v8.0.3

protobufjs-v8.2.0

protobufjs-v8.2.1

protobufjs-v8.3.0

protobufjs-v8.4.0

protobufjs-v8.4.1

protobufjs-v8.4.2

protobufjs-v8.5.0

utf8-v1.*

utf8-v1.1.1

v6.*

v6.10.0

v6.10.0-beta.0

v6.10.0-beta.1

v6.10.0-beta.2

v6.10.1

v6.10.1-beta.0

v6.10.2

v6.9.0

v6.9.0-beta.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-54269.json"