Improper Check for Unusual or Exceptional Conditions in protobufjs-cli | CVE-2026-54269

Q: How to fix?

Upgrade protobufjs-cli to version 1.3.3, 2.5.1 or higher.

Introduced: 15 Jun 2026

NewCVE-2026-54269 (opens in a new tab) CWE-754 (opens in a new tab)

How to fix?

Upgrade protobufjs-cli to version 1.3.3, 2.5.1 or higher.

Overview

protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of service for the relevant processing path, by providing or influencing protobuf schemas or JSON descriptors containing problematic names such as hasOwnProperty, $type, or rpcCall.

Workaround

This vulnerability can be mitigated by not loading protobuf schemas or JSON descriptors from untrusted sources, or by validating and rejecting schema-derived field, oneof, and service method names that match the problematic names before loading.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Check for Unusual or Exceptional Conditions Affecting protobufjs-cli package, versions <1.3.3>=2.0.0 <2.5.1

Severity

Do your applications use this vulnerable package?