Jul 3, 2026·6 min read·2 visits
Untrusted protobuf schemas can define fields matching internal properties (such as 'hasOwnProperty' or 'rpcCall'), triggering uncaught runtime exceptions that crash the execution thread (Denial of Service).
A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.
The protobufjs library is a widely deployed JavaScript and TypeScript parser designed to handle Protocol Buffers. In standard implementations, the engine translates structured schema definitions into optimized runtime objects. This process involves dynamically compiling schemas into executable code paths to achieve high-performance serialization, deserialization, and validation operations.
The vulnerability, designated as CVE-2026-54269 (and tracked via GHSA-f38q-mgvj-vph7), stems from an unsafe assumption during this dynamic compilation phase. The compiler assumes that the field names defined in arbitrary user-supplied schemas will never collide with critical built-in methods or library properties. When a schema contains specific runtime-significant names, these identifiers shadow the underlying system properties.
This flaw exposes applications to unhandled exceptions and infinite loops, causing immediate runtime execution failures. The impact is particularly high for environments parsing untrusted schemas, multi-tenant registries, or microservice gateways that ingest external configurations dynamically.
The root cause of this vulnerability lies in how dynamically compiled JavaScript code interacts with standard prototypical inheritance. During schema processing, the library generates helper functions using string concatenation and compiles them via the Function constructor. When validating or converting objects, the generated methods check for field presence by evaluating expressions directly on the message instance, such as message.hasOwnProperty(fieldName).
If an untrusted schema contains a field explicitly named hasOwnProperty, the instantiated object is created with an own-property of the same name. Since native JavaScript objects resolve properties on the instance before traversing the prototype chain, the schema-derived property overrides the native Object.prototype.hasOwnProperty method. When the compiled validation logic subsequently executes, it attempts to call this shadowed property as a function, resulting in a type mismatch error.
In addition to property validation, service-level RPC bindings are vulnerable to helper method shadowing. When a service defines an RPC method named rpcCall, this identifier overrides the internal prototype method designed to orchestrate remote procedures. Invoking this service wrapper triggers an unintended self-referential call sequence, yielding uncontrolled recursion (CWE-674) and terminating the thread with a stack overflow.
Finally, metadata management is disrupted by field names starting with a dollar sign. The library relies on properties such as $type to manage serialization metadata. When schema-controlled structures define conflicting properties, the type resolution mappings break down, leading to structural failures during JSON serialization and translation.
To understand the vulnerability and its remediation, we examine the compilation differences introduced in patch version 7.6.3.
Prior to the patch, the validator generator in src/verifier.js generated conditional checks using direct instance invocation:
// Vulnerable logic generation pattern
if (message.field != null && message.hasOwnProperty("field")) {
// Validation logic execution
}If the field hasOwnProperty was present on the message instance, this check threw a TypeError: message.hasOwnProperty is not a function. The patch in PR #2311 resolved this by forcing execution to bypass local overrides through the native prototype method:
// Patched logic generation pattern
if (message.field != null && Object.hasOwnProperty.call(message, "field")) {
// Safe validation execution
}Similar changes were implemented across other codegen paths including src/converter.js and src/decoder.js to eliminate all instance-direct calls.
For service generation in src/service.js, the original implementation assigned method handlers that assumed this.rpcCall was the safe helper:
// Vulnerable wrapper assignment
rpcService[methodName] = util.codegen(["r","c"], methodName)("return this.rpcCall(m,q,s,r,c)");When methodName was equal to rpcCall, executing the method caused the function to endlessly call itself. The patched implementation utilizes an explicit closure to bind and call the prototype method securely:
// Patched service wrapper assignment
rpcService[methodName] = (function(method, requestType, responseType) {
return function rpcMethod(request, callback) {
return rpc.Service.prototype.rpcCall.call(this, method, requestType, responseType, request, callback);
};
})(method, method.resolvedRequestType.ctor, method.resolvedResponseType.ctor);An attacker can exploit this vulnerability by submitting a malformed Protocol Buffer schema designed to shadow runtime-critical properties. The following diagram illustrates the flow from schema submission to process termination:
To construct a proof of concept, an attacker crafts a .proto file that specifies a message structure where a field conflicts with native properties:
syntax = "proto3";
message ExploitPayload {
string hasOwnProperty = 1;
string standardField = 2;
}When the system receives and processes this schema, it evaluates the compilation definitions dynamically. If the application subsequently executes ExploitPayload.verify(incomingData) or ExploitPayload.toObject(message), the validation routine attempts to run the overridden method.
Because the value assigned to message.hasOwnProperty is a string (representing the data payload) and not a callable function, the execution halts immediately. Since JavaScript environments are single-threaded, an uncaught exception in the main loop terminates the host process.
The practical impact of CVE-2026-54269 is limited to Denial of Service (DoS) conditions. Because the vulnerability does not bypass access control parameters, it cannot be leveraged to execute arbitrary shellcode or read sensitive data from the system memory space directly.
However, in Node.js architectures, process termination represents a high operational risk. If the target application lacks robust orchestrators (such as Kubernetes pods or PM2 process managers), a single malformed payload can permanently take down the service instance. Even with active process managers, continuous exploitation can trigger crash-loop backoffs, exhausting server resources.
The CVSS v3.1 rating is 5.3 (Medium), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. This score reflects that while the execution barrier is low and requires no administrative privileges, the overall scope remains isolated to the affected component.
To fully remediate CVE-2026-54269, development teams must update the affected dependencies across all service boundaries. For deployments using the 7.x release stream, update protobufjs to version 7.6.3 or later. For services on the 8.x branch, transition to 8.6.0 or higher. Applications compiling schemas statically must also update protobufjs-cli to versions 1.3.3 or 2.5.1 respectively, and regenerate all static assets.
If patching cannot be executed immediately, apply input validation filters to the schema ingestion path. Block any schemas that define properties named hasOwnProperty or declare service actions named rpcCall.
Additionally, implement validation rules to reject any fields or object definitions that begin with the dollar sign character ($). This configuration prevents attackers from corrupting internal metadata parameters and protects the execution integrity of json-to-protobuf translation utilities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L| Product | Affected Versions | Fixed Version |
|---|---|---|
protobufjs protobufjs | < 7.6.3 | 7.6.3 |
protobufjs protobufjs | >= 8.0.0, < 8.6.0 | 8.6.0 |
protobufjs-cli protobufjs | < 1.3.3 | 1.3.3 |
protobufjs-cli protobufjs | >= 2.0.0, < 2.5.1 | 2.5.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-754, CWE-674 |
| Attack Vector | Network |
| CVSS Score | 5.3 (Medium) |
| EPSS Score | 0.0024 (Percentile: 14.70%) |
| Impact | Denial of Service (DoS) |
| Exploit Status | Proof of Concept available |
| KEV Status | Not listed |
The software does not check or incorrectly checks for unusual or exceptional conditions that can occur during operation, leading to unexpected behavior or resource exhaustion.
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.