๐Ÿ” CVE Alert

CVE-2026-59876

MEDIUM 4.8

protobufjs: Text Format string map parsing can mutate returned map object prototype

CVSS Score
4.8
EPSS Score
0.2%
EPSS Percentile
13th

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.

CWE CWE-1321
Vendor protobufjs
Product protobuf.js
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for protobufjs protobuf.js

Be the first to know when new medium vulnerabilities affecting protobufjs protobuf.js are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

protobufjs / protobuf.js
>= 8.2.0, < 8.6.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jfj6-75fj-8934 github.com: https://github.com/protobufjs/protobuf.js/pull/2335 github.com: https://github.com/protobufjs/protobuf.js/commit/9f97fe413072d3beb52c74e62d88ea8adc9444d8 github.com: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.5