CVE-2026-59876 in protobuf.jsinfo

Summary

by MITRE • 07/08/2026

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in protobufjs affects versions between 8.2.0 and 8.6.5 where the Text Format extension processes string-keyed map entries through ordinary property assignment mechanisms. This flaw represents a prototype pollution vulnerability that occurs during the parsing of serialized protocol buffer data in text format. When a map entry contains a key named _proto_, the implementation incorrectly treats this as a directive to modify the prototype chain of the resulting object rather than creating a legitimate map entry. The technical root cause lies in the improper handling of property assignment operations within the text format parser, which fails to distinguish between valid map keys and special JavaScript object properties that control prototype inheritance.

This vulnerability falls under CWE-471, which specifically addresses the issue of using an incorrect variable name or identifier that is reserved for a specific purpose. The operational impact of this prototype pollution vulnerability extends beyond simple data corruption, as it can potentially enable attackers to manipulate the behavior of JavaScript objects at runtime. In the context of protobufjs, this means that maliciously crafted protobuf text format data could alter the prototype of map objects returned by the parser, which could subsequently affect other objects sharing the same prototype chain. Such an attack vector aligns with ATT&CK technique T1553.002, specifically targeting the modification of system or application-level properties through prototype manipulation.

The security implications become particularly concerning when considering that protobufjs is widely used for data serialization and communication between different systems and services. Attackers could exploit this vulnerability by crafting malicious protobuf text format messages containing map entries with _proto_ keys, potentially leading to unexpected behavior in applications that rely on protobufjs for data processing. This type of prototype pollution can enable various attack scenarios including object poisoning, where attackers manipulate the prototype chain to inject malicious properties or methods into objects. The fix implemented in version 8.6.5 addresses this by ensuring proper handling of map key assignments that prevents unintended prototype modifications during text format parsing operations.

The remediation approach required for this vulnerability involves updating protobufjs to version 8.6.5 or later, where the text format parser has been modified to properly handle property assignment for map entries. Organizations should conduct thorough testing of their applications to ensure that the upgrade does not introduce any regressions in existing functionality. Additionally, security teams should monitor for similar patterns in other libraries that may be susceptible to prototype pollution through improper handling of object properties during deserialization processes. The vulnerability demonstrates the importance of proper input validation and sanitization when processing serialized data formats, particularly in environments where untrusted data may be processed through parsing mechanisms that interact with JavaScript's object model directly.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!