CVE-2026-59876
Received Received - Intake

Prototype Pollution in protobufjs Text Format Extension

Vulnerability report for CVE-2026-59876, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
protobufjs protobufjs From 8.2.0 (inc) to 8.6.5 (exc)
protobufjs protobufjs to 8.6.5 (inc)
protobufjs protobufjs 8.6.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in protobufjs versions 8.2.0 to 8.6.4 involves the Text Format extension parsing string-keyed map entries using ordinary property assignment. This allows an attacker to provide a map entry with the key __proto__, which changes the prototype of the returned map object instead of creating a new own property. This prototype mutation can alter the behavior of the application by modifying inherited properties.

This issue is a prototype mutation vulnerability (not global prototype pollution) and only affects applications that parse untrusted Text Format input using the protobufjs/ext/textformat extension.

Impact Analysis

The vulnerability can impact applications by allowing an attacker to modify the prototype of map objects returned by protobufjs. This can lead to unexpected behavior if the application relies on inherited properties or does not properly validate input.

The impact is considered moderate with a CVSS score of 4.8, primarily due to potential low confidentiality and integrity impacts. It does not affect availability.

The actual impact depends on whether downstream logic treats inherited properties as meaningful, which could lead to security issues or incorrect application behavior.

Detection Guidance

This vulnerability affects protobufjs versions 8.2.0 to 8.6.4 when parsing untrusted Text Format input using the protobufjs/ext/textformat extension. Detection involves identifying if your system or network is using a vulnerable version of protobufjs and if it processes untrusted protobuf text format data.

You can detect the vulnerability by checking the protobufjs version in your environment. For example, if you are using npm, run the following command to check the installed version:

  • npm list protobufjs

If the version is between 8.2.0 and 8.6.4 inclusive, your system is potentially vulnerable.

Additionally, you can search your codebase for usage of the protobufjs/ext/textformat extension, which is the affected component:

  • grep -r 'protobufjs/ext/textformat' ./

To detect exploitation attempts, monitor logs or network traffic for protobuf text format inputs containing the key '__proto__', which is used to trigger the prototype mutation.

  • grep '__proto__' /path/to/logs/*
Mitigation Strategies

The primary mitigation is to upgrade protobufjs to version 8.6.5 or later, where the vulnerability is fixed by using own-property semantics and rejecting unsafe keys like '__proto__'.

If upgrading immediately is not possible, avoid parsing untrusted protobuf text format input with the protobufjs/ext/textformat extension.

Alternatively, implement input validation to reject map entries with the key '__proto__' before parsing.

These steps prevent prototype mutation attacks that could alter application behavior.

Compliance Impact

The vulnerability in protobufjs allows prototype mutation via specially crafted map entries with the key __proto__, which can lead to altered application behavior if untrusted input is parsed. This can potentially impact the confidentiality and integrity of data handled by applications using affected versions.

Since the vulnerability can lead to low confidentiality and integrity impacts, it may affect compliance with standards and regulations such as GDPR or HIPAA that require protection of sensitive data and integrity of processing systems.

Mitigation involves upgrading to protobufjs version 8.6.5 or later, avoiding parsing untrusted input, or validating input to reject unsafe keys like __proto__. Proper mitigation helps maintain compliance by reducing risks of unauthorized data manipulation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart