chore(deps): update dependency protobufjs to v7.5.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs	7.5.0 → 7.5.6

---

Arbitrary code execution in protobufjs

CVE-2026-41242 / GHSA-xq3m-2v4x-88gg

More information

Details

Summary

protobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.

Impact

An attacker who can provide a malicious protobuf definition or JSON descriptor to an application may be able to execute arbitrary JavaScript in the context of the process using protobufjs.

This requires control over the protobuf schema or descriptor being loaded. Applications that only decode messages using trusted, application-defined schemas are not directly affected by this issue.

Preconditions

• The application must allow an attacker to control or influence a protobuf definition or JSON descriptor.
• The application must load that definition through protobufjs reflection APIs such as descriptor loading.
• The affected generated-code path must be reached, for example by performing an operation on the loaded type.

Workarounds

Do not load protobuf definitions or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict them before loading and run schema processing in an isolated environment.

Severity

• CVSS Score: 9.4 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
• https://nvd.nist.gov/vuln/detail/CVE-2026-41242
• https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
• https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
• https://github.com/advisories/GHSA-xq3m-2v4x-88gg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobufjs has overlong UTF-8 decoding

CVE-2026-44288 / GHSA-q6x5-8v7m-xcrf

More information

Details

Summary

protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.

The issue concerns overlong encodings and code points outside the Unicode range. protobufjs may still accept some non-strict UTF-8 input for compatibility, so applications should not rely on protobufjs as a general-purpose strict UTF-8 validator.

Impact

An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters.

The practical impact depends on downstream application validation and how decoded strings are used. Node.js Buffer-backed decoding paths are not directly affected when they use Node's native UTF-8 decoding.

Preconditions

• The application must decode protobuf binary data influenced by an attacker.
• The affected protobuf string field must be decoded through protobufjs's minimal UTF-8 decoder rather than a native UTF-8 decoder.
• The application must rely on byte-level filtering or validation before protobuf string decoding.
• The decoded string must then be used in a security-sensitive context.

Workarounds

Avoid relying only on byte-level filtering before protobuf string decoding with affected versions. Validate decoded strings at the point where they are used, and prefer runtime paths that use native UTF-8 decoding where necessary.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
• https://nvd.nist.gov/vuln/detail/CVE-2026-44288
• https://github.com/advisories/GHSA-q6x5-8v7m-xcrf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.5.6: protobufjs: v7.5.6

Compare Source

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#​2173) (75392ea)

v7.5.5: v7.5.5

Compare Source

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#​2126)
• fix: filter invalid characters from the type name (#​2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

v7.5.4

Compare Source

Bug Fixes

• invalid syntax in descriptor.proto (#​2092) (5a3769a)

v7.5.3

Compare Source

Bug Fixes

• descriptor extensions handling post-editions (#​2075) (6e255d4)

v7.5.2

Compare Source

Bug Fixes

• ensure that types are always resolved (#​2068) (4b51cb2)

v7.5.1

Compare Source

Bug Fixes

• optimize regressions from editions implementations (#​2066) (6406d4c)
• reserved field inside group blocks fail parsing (#​2058) (56782bf)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.