CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs
Vulnerability ID: CVE-2026-54269
CVSS Score: 5.3
Published: 2026-06-22
A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.
TL;DR
Untrusted protobuf schemas can define fields matching internal properties (such as 'hasOwnProperty' or 'rpcCall'), triggering uncaught runtime exceptions that crash the execution thread (Denial of Service).
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-754, CWE-674
- Attack Vector: Network
- CVSS Score: 5.3 (Medium)
- EPSS Score: 0.0024 (Percentile: 14.70%)
- Impact: Denial of Service (DoS)
- Exploit Status: Proof of Concept available
- KEV Status: Not listed
Affected Systems
- protobufjs
- protobufjs-cli
-
protobufjs: < 7.6.3 (Fixed in:
7.6.3) -
protobufjs: >= 8.0.0, < 8.6.0 (Fixed in:
8.6.0) -
protobufjs-cli: < 1.3.3 (Fixed in:
1.3.3) -
protobufjs-cli: >= 2.0.0, < 2.5.1 (Fixed in:
2.5.1)
Code Analysis
Commit: 78a9576
Avoid shadowing prototype properties
Mitigation Strategies
- Upgrade the dependency package to a patched release version.
- Establish strict schema validation rules to filter out conflict-prone property names.
- Ensure process management tools are configured to restart terminated nodes automatically.
Remediation Steps:
- Locate and review package.json configurations for protobufjs and protobufjs-cli.
- Update protobufjs to 7.6.3 or 8.6.0 depending on the active major version.
- Update protobufjs-cli to 1.3.3 or 2.5.1 to secure static code generation.
- Regenerate any pre-compiled JavaScript static schema files using the updated CLI.
- Deploy runtime validation logic to reject schema definitions containing the strings 'hasOwnProperty' or 'rpcCall'.
References
- GitHub Security Advisory (GHSA-f38q-mgvj-vph7)
- NVD CVE Record (CVE-2026-54269)
- CVE.org CVE Record (CVE-2026-54269)
- Pull Request #2311: Avoid shadowing prototype properties
Read the full report for CVE-2026-54269 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)