DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54269: CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

Vulnerability ID: CVE-2026-54269
CVSS Score: 5.3
Published: 2026-06-22

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

TL;DR

Untrusted protobuf schemas can define fields matching internal properties (such as 'hasOwnProperty' or 'rpcCall'), triggering uncaught runtime exceptions that crash the execution thread (Denial of Service).


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-754, CWE-674
  • Attack Vector: Network
  • CVSS Score: 5.3 (Medium)
  • EPSS Score: 0.0024 (Percentile: 14.70%)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof of Concept available
  • KEV Status: Not listed

Affected Systems

  • protobufjs
  • protobufjs-cli
  • protobufjs: < 7.6.3 (Fixed in: 7.6.3)
  • protobufjs: >= 8.0.0, < 8.6.0 (Fixed in: 8.6.0)
  • protobufjs-cli: < 1.3.3 (Fixed in: 1.3.3)
  • protobufjs-cli: >= 2.0.0, < 2.5.1 (Fixed in: 2.5.1)

Code Analysis

Commit: 78a9576

Avoid shadowing prototype properties

Mitigation Strategies

  • Upgrade the dependency package to a patched release version.
  • Establish strict schema validation rules to filter out conflict-prone property names.
  • Ensure process management tools are configured to restart terminated nodes automatically.

Remediation Steps:

  1. Locate and review package.json configurations for protobufjs and protobufjs-cli.
  2. Update protobufjs to 7.6.3 or 8.6.0 depending on the active major version.
  3. Update protobufjs-cli to 1.3.3 or 2.5.1 to secure static code generation.
  4. Regenerate any pre-compiled JavaScript static schema files using the updated CLI.
  5. Deploy runtime validation logic to reject schema definitions containing the strings 'hasOwnProperty' or 'rpcCall'.

References


Read the full report for CVE-2026-54269 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)