Vulnerable Library - plugin-log-otel-0.27.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (plugin-log-otel version) |
Remediation Possible** |
| CVE-2026-41242 |
 Critical |
9.9 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44293 |
 High |
8.8 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44291 |
High |
8.1 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44290 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44289 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-45740 |
 Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44294 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44292 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44288 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
0.27.1 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41242
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-44293
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary protobufjs generated JavaScript for "toObject" conversion could include an unsafe expression derived from a schema-controlled "bytes" field default value. A crafted descriptor with a non-string default value for a "bytes" field could cause attacker-controlled code to be emitted into the generated conversion function. Impact An attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs. This requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue. Preconditions - The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema. - The descriptor must define a "bytes" field with an attacker-controlled default value. - The application must call "toObject" with defaults enabled for the affected type. Workarounds Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.
Publish Date: 2026-05-14
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44291
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If "Object.prototype" had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. Impact An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution. This issue requires a separate prototype pollution primitive before protobufjs is invoked. Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone. Preconditions - The application or one of its dependencies must allow an attacker to pollute "Object.prototype". - The polluted property must affect protobufjs internal type lookup behavior. - The application must use protobufjs functionality that generates encode or decode code for affected types. - The generated code path must be reached after the prototype pollution has occurred. Workarounds Avoid running affected versions in applications where attacker-controlled input can pollute "Object.prototype". If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
Publish Date: 2026-05-14
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44290
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44289
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-45740
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution (protobufjs): 7.5.8
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44294
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. Impact An attacker who can provide or influence a protobuf schema or JSON descriptor may be able to make affected message types unusable by causing protobufjs runtime code generation to throw a syntax error. This is a denial of service issue for applications that load untrusted schemas or descriptors. Applications that only use trusted, application-defined schemas are not directly affected by this issue. The issue is not known to allow code execution by itself. Preconditions - The application must allow an attacker to control or influence a protobuf schema or JSON descriptor. - The crafted input must define a field name containing control characters that reach generated JavaScript property access. - The application must perform an operation that triggers protobufjs code generation for the affected type, such as encode, decode, verify, "fromObject", or "toObject". Workarounds Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate field names before loading them and reject names containing control characters.
Publish Date: 2026-05-14
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44292
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44288
Vulnerable Libraries - utf8-1.1.0.tgz, protobufjs-7.5.4.tgz
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- protobufjs-7.5.4.tgz
- ❌ utf8-1.1.0.tgz (Vulnerable Library)
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (@protobufjs/utf8): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Fix Resolution (protobufjs): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Summary protobufjs generated JavaScript for "toObject" conversion could include an unsafe expression derived from a schema-controlled "bytes" field default value. A crafted descriptor with a non-string default value for a "bytes" field could cause attacker-controlled code to be emitted into the generated conversion function. Impact An attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs. This requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue. Preconditions - The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema. - The descriptor must define a "bytes" field with an attacker-controlled default value. - The application must call "toObject" with defaults enabled for the affected type. Workarounds Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.
Publish Date: 2026-05-14
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Summary protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If "Object.prototype" had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. Impact An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution. This issue requires a separate prototype pollution primitive before protobufjs is invoked. Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone. Preconditions - The application or one of its dependencies must allow an attacker to pollute "Object.prototype". - The polluted property must affect protobufjs internal type lookup behavior. - The application must use protobufjs functionality that generates encode or decode code for affected types. - The generated code path must be reached after the prototype pollution has occurred. Workarounds Avoid running affected versions in applications where attacker-controlled input can pollute "Object.prototype". If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
Publish Date: 2026-05-14
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution (protobufjs): 7.5.8
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Summary protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. Impact An attacker who can provide or influence a protobuf schema or JSON descriptor may be able to make affected message types unusable by causing protobufjs runtime code generation to throw a syntax error. This is a denial of service issue for applications that load untrusted schemas or descriptors. Applications that only use trusted, application-defined schemas are not directly affected by this issue. The issue is not known to allow code execution by itself. Preconditions - The application must allow an attacker to control or influence a protobuf schema or JSON descriptor. - The crafted input must define a field name containing control characters that reach generated JavaScript property access. - The application must perform an operation that triggers protobufjs code generation for the affected type, such as encode, decode, verify, "fromObject", or "toObject". Workarounds Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate field names before loading them and reject names containing control characters.
Publish Date: 2026-05-14
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - utf8-1.1.0.tgz, protobufjs-7.5.4.tgz
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (@protobufjs/utf8): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Fix Resolution (protobufjs): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here