Vulnerable Library - sdk-2.9.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (sdk version) |
Remediation Possible** |
| CVE-2026-41242 |
 Critical |
9.9 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44293 |
 High |
8.8 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44291 |
High |
8.1 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44290 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44289 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-8723 |
 Medium |
5.3 |
qs-6.15.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-45740 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44294 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44292 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44288 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41242
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-44293
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-44291
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,protobufjs - 7.5.6,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-44290
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-44289
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-8723
Vulnerable Library - qs-6.15.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- url-0.11.4.tgz
- ❌ qs-6.15.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Summary
"qs.stringify" throws "TypeError" when called with "arrayFormat: 'comma'" and "encodeValuesOnly: true" on an array containing "null" or "undefined". The throw is synchronous and not handled by any of qs's null-related options ("skipNulls", "strictNullHandling").
Details
In the comma + "encodeValuesOnly" branch, "lib/stringify.js:145" mapped the array through the raw encoder before joining:
obj = utils.maybeMap(obj, encoder);
"utils.encode" ("lib/utils.js:195") reads "str.length" with no null guard, so a "null" or "undefined" element throws "TypeError". "skipNulls" and "strictNullHandling" are both checked in the per-element loop below this line and never get a chance to run.
Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + "encodeValuesOnly" branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1.
PoC
const qs = require('qs');
qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });
// TypeError: Cannot read properties of null (reading 'length')
// at encode (lib/utils.js:195:13)
// at Object.maybeMap (lib/utils.js:322:37)
// at stringify (lib/stringify.js:145:25)
Fix
"lib/stringify.js:145", applied in 21f80b3 on "main" and released as v6.15.2:
- obj = utils.maybeMap(obj, encoder);
- obj = utils.maybeMap(obj, function (v) {
-
return v == null ? v : encoder(v);
- });
"null" and "undefined" now pass through "maybeMap" unchanged and reach the "join(',')" step as-is. For "{ a: [null, 'b'] }" this produces "a=,b", matching the non-"encodeValuesOnly" comma path (which already joins before encoding and produces "a=%2Cb" for the same input). Single-element "[null]" arrays still collapse via the existing "obj.join(',') || null" and remain subject to "skipNulls" / "strictNullHandling" in the main loop.
Affected versions
">=6.11.1 <6.15.2" — fixed in v6.15.2.
The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + "encodeValuesOnly" path differently (joining before encoding) and are not affected. Empirically verified across released versions.
Impact
Application code that calls "qs.stringify" with both "arrayFormat: 'comma'" and "encodeValuesOnly: true" (both non-default) on input that may contain a "null" or "undefined" array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.
The vulnerable input is a "null" or "undefined" entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal "null").
Publish Date: 2026-05-16
URL: CVE-2026-8723
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q8mj-m7cp-5q26
Release Date: 2026-05-16
Fix Resolution: qs - 6.15.2,qs - 6.15.2,https://github.com/ljharb/qs.git - v6.15.2
Step up your Open Source Security Game with Mend here
CVE-2026-45740
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution: protobufjs - 7.5.8,protobufjs - 7.5.8,protobufjs - 8.2.0,protobufjs - 8.2.0,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.8,https://github.com/protobufjs/protobuf.js.git - protobufjs-8.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-44294
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6
Step up your Open Source Security Game with Mend here
CVE-2026-44292
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution: protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-44288
Vulnerable Libraries - protobufjs-7.5.4.tgz, utf8-1.1.0.tgz
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sdk-2.9.8.tgz (Root Library)
- protobufjs-7.5.4.tgz
- ❌ utf8-1.1.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,@protobufjs/utf8 - 1.1.1,protobufjs - 7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,protobufjs - 7.5.6,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - qs-6.15.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Summary
"qs.stringify" throws "TypeError" when called with "arrayFormat: 'comma'" and "encodeValuesOnly: true" on an array containing "null" or "undefined". The throw is synchronous and not handled by any of qs's null-related options ("skipNulls", "strictNullHandling").
Details
In the comma + "encodeValuesOnly" branch, "lib/stringify.js:145" mapped the array through the raw encoder before joining:
obj = utils.maybeMap(obj, encoder);
"utils.encode" ("lib/utils.js:195") reads "str.length" with no null guard, so a "null" or "undefined" element throws "TypeError". "skipNulls" and "strictNullHandling" are both checked in the per-element loop below this line and never get a chance to run.
Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + "encodeValuesOnly" branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1.
PoC
const qs = require('qs');
qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });
// TypeError: Cannot read properties of null (reading 'length')
// at encode (lib/utils.js:195:13)
// at Object.maybeMap (lib/utils.js:322:37)
// at stringify (lib/stringify.js:145:25)
Fix
"lib/stringify.js:145", applied in 21f80b3 on "main" and released as v6.15.2:
"null" and "undefined" now pass through "maybeMap" unchanged and reach the "join(',')" step as-is. For "{ a: [null, 'b'] }" this produces "a=,b", matching the non-"encodeValuesOnly" comma path (which already joins before encoding and produces "a=%2Cb" for the same input). Single-element "[null]" arrays still collapse via the existing "obj.join(',') || null" and remain subject to "skipNulls" / "strictNullHandling" in the main loop.
Affected versions
">=6.11.1 <6.15.2" — fixed in v6.15.2.
The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + "encodeValuesOnly" path differently (joining before encoding) and are not affected. Empirically verified across released versions.
Impact
Application code that calls "qs.stringify" with both "arrayFormat: 'comma'" and "encodeValuesOnly: true" (both non-default) on input that may contain a "null" or "undefined" array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.
The vulnerable input is a "null" or "undefined" entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal "null").
Publish Date: 2026-05-16
URL: CVE-2026-8723
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q8mj-m7cp-5q26
Release Date: 2026-05-16
Fix Resolution: qs - 6.15.2,qs - 6.15.2,https://github.com/ljharb/qs.git - v6.15.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution: protobufjs - 7.5.8,protobufjs - 7.5.8,protobufjs - 8.2.0,protobufjs - 8.2.0,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.8,https://github.com/protobufjs/protobuf.js.git - protobufjs-8.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution: protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 7.5.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution: protobufjs - 7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 7.5.6,protobufjs - 8.0.2,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - protobufjs-7.5.4.tgz, utf8-1.1.0.tgz
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.2,protobufjs - 8.0.2,https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.6,@protobufjs/utf8 - 1.1.1,protobufjs - 7.5.6,protobufjs - 7.5.6,protobufjs - 8.0.2
Step up your Open Source Security Game with Mend here