Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN630
_____________________________________________________________________

DATE                : 15/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running protobufjs-cli (npm) versions
                                  prior to 1.3.2, 2.5.0,
                   protobufjs (npm) versions prior to 8.6.0, 7.6.3.

=====================================================================
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-94rc-8x27-4472
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7
_____________________________________________________________________


Code injection in pbjs static output from crafted JSON descriptor
names

High
dcodeIO published GHSA-pr59-h9ph-3fr8 Jun 12, 2026

Package
protobufjs-cli (npm)

Affected versions
<=1.3.1
>=2.0.0, <=2.4.2

Patched versions
1.3.2
2.5.0


Description

Summary

A previous fix for unsafe name handling in pbjs static / static-module
code generation was incomplete. Affected versions of protobufjs-cli
could still emit unsafe JavaScript references when generating static
output from crafted JSON descriptor input. The common case of parsing
schemas from .proto files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.


Impact

An attacker who can provide or influence pre-parsed JSON descriptors
passed to pbjs static code generation may be able to cause generated
JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed
or imported and an affected generated API path is invoked.


Preconditions

    The application or build process must run pbjs static code
generation on a pre-parsed JSON descriptor influenced by an attacker.
    The generated JavaScript file must subsequently be executed or
imported.
    An affected generated API path must be invoked.


Workarounds

Do not run affected versions of pbjs static or static-module
generation on untrusted JSON descriptors. If untrusted JSON descriptors
must be accepted, validate descriptor-derived names before code
generation and reject names that could not have been produced by
parsing a valid .proto file. Running code generation in an isolated
environment can reduce impact.

Severity
High
8.2/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

CVE ID
CVE-2026-54271

Weaknesses
Weakness CWE-94

Credits

    @JacobBrackett JacobBrackett Reporter
    @dcodeIO dcodeIO Remediation developer

_____________________________________________________________________


Memory amplification from preserved unknown fields in binary decode
Moderate
dcodeIO published GHSA-94rc-8x27-4472 Jun 12, 2026

Package
protobufjs (npm)

Affected versions
>=8.2.0, <=8.4.2

Patched versions
8.5.0


Description

Summary

protobufjs 8.2.0 added support for preserving unknown fields
encountered during binary decode. Affected versions preserved
unknown wire elements in message.$unknowns and did not provide
a decode-time option to discard unknown fields before retaining
them.

A crafted protobuf payload containing many unknown fields could
therefore cause a decoded message to retain substantially more
memory than the input size would suggest, even when unknown-field
round-tripping is not needed. protobufjs 8.5.0 added the relevant
decode-time options, allowing applications that decode untrusted
protobuf data to disable unknown-field retention during decode.
protobufjs 8.6.2 flips the default so unknown fields are
discarded unless explicitly opted into.


Impact

An attacker who can provide protobuf binary data decoded by an
application using affected protobufjs versions may be able to
increase memory pressure by sending messages with many unknown
fields. This can degrade availability or contribute to process
termination in services that decode and retain
attacker-controlled messages.

This issue affects applications that decode untrusted protobuf
binary input and do not need unknown-field round-tripping.
Applications that only decode trusted protobuf data, already
enforce input-size/concurrency limits, or do not retain
decoded messages beyond immediate processing are less directly
affected.


Preconditions

    The application must decode protobuf binary data influenced
by an attacker.
    The decoded schema must not define the attacker-selected
field numbers, causing those fields to be treated as unknown.
    The application must use a protobufjs version that
preserves unknown fields but does not provide a decode-time
discard option.
    The decoded message, or enough decoded messages concurrently,
must remain live long enough for retained unknown-field data
to affect memory usage.


Workarounds

Upgrade to protobufjs 8.5.0 or newer and disable unknown-field
preservation if not needed: Create a Reader, set
reader.discardUnknown = true, and decode from that reader,
or make this the default for subsequently created readers
by setting Reader.discardUnknown = true. When upgrading to
protobufjs 8.6.2 or newer, unknown fields are discarded by
default unless opted into by setting discardUnknown = false.

Applications should also continue to enforce input-size,
request concurrency, and request timeout limits at their
transport or application boundary.

Severity
Moderate
5.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID
CVE-2026-54270

Weaknesses
Weakness CWE-770

Credits

    @sondt99 sondt99 Reporter
    @dcodeIO dcodeIO Remediation developer

_____________________________________________________________________

Certain schema-derived names can shadow runtime-significant properties
Moderate
dcodeIO published GHSA-f38q-mgvj-vph7 Jun 12, 2026

Package
protobufjs (npm)

Affected versions
>=8.0.0, <=8.5.0
<=7.6.2

Patched versions
8.6.0
7.6.3

protobufjs-cli (npm)
Affected versions
>=2.0.0, <=2.5.0
<=1.3.2
Patched versions
2.5.1
1.3.3


Description

Summary

protobufjs accepted certain schema-derived names that could collide with
properties used by protobufjs runtime helpers. The known affected names
are fields named hasOwnProperty, field or oneof names such as $type when
loaded through protobufjs JSON/reflection descriptors, and service
methods whose generated helper name is rpcCall.

When affected message or service types were used, protobufjs could read
schema-controlled data where it expected an own-property helper,
reflected type metadata, or the base RPC helper. This could cause
deterministic exceptions or recursive calls in affected decode
post-checks, verification, object conversion, reflected JSON
serialization, or protobufjs RPC helper invocation.


Impact

An attacker who can provide or influence protobuf schemas or
protobufjs JSON descriptors may be able to make affected message
or service types unusable, resulting in denial of service for
the affected processing path.

Applications using only trusted schemas are affected only if
those schemas contain one of the problematic names and the
application reaches the affected API path.

The issue is not known to allow code execution by itself.


Preconditions

    The application must use an affected protobufjs version.
    The application must load or use a schema or protobufjs
JSON descriptor containing one of the problematic names:
        a field named hasOwnProperty,
        a field or oneof named $type through protobufjs
JSON/reflection descriptor input,
        or a service method whose generated helper name is
rpcCall.
    The application must reach the affected API path for
that name: required-field decode post-checks, verify, or
toObject for hasOwnProperty; reflected message JSON
serialization for $type; or protobufjs RPC service
invocation for rpcCall.

Workarounds

Do not load protobuf schemas or protobufjs JSON descriptors
from untrusted sources with affected versions. If untrusted
schemas or descriptors must be accepted, validate
schema-derived field, oneof, and service method names
before loading and reject the problematic names described
above.

Applications using trusted schemas can avoid the issue by
renaming affected fields or service methods, or by avoiding
the affected API path.


Severity
Moderate
5.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID
CVE-2026-54269

Weaknesses
Weakness CWE-674
Weakness CWE-754

Credits

    @acorn421 acorn421 Reporter
    @dcodeIO dcodeIO Remediation developer

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================