Vulnerable Library - plugin-log-otel-0.27.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (plugin-log-otel version) |
Remediation Possible** |
| CVE-2026-41242 |
 Critical |
9.9 |
protobufjs-7.5.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44293 |
 High |
8.8 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44291 |
High |
8.1 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44290 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44289 |
High |
7.5 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-45740 |
 Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44294 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44292 |
Medium |
5.3 |
protobufjs-7.5.4.tgz |
Transitive |
0.27.1 |
❌ |
| CVE-2026-44288 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
0.27.1 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41242
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-44293
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44291
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44290
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44289
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-45740
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution (protobufjs): 7.5.8
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44294
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44292
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
CVE-2026-44288
Vulnerable Libraries - utf8-1.1.0.tgz, protobufjs-7.5.4.tgz
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- protobufjs-7.5.4.tgz
- ❌ utf8-1.1.0.tgz (Vulnerable Library)
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- plugin-log-otel-0.27.0.tgz (Root Library)
- exporter-logs-otlp-http-0.200.0.tgz
- otlp-transformer-0.200.0.tgz
- ❌ protobufjs-7.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (@protobufjs/utf8): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Fix Resolution (protobufjs): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Publish Date: 2026-04-18
URL: CVE-2026-41242
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44293
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44291
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-75px-5xx7-5xc7
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jvwf-75h9-cwgg
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44289
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-685m-2w69-288q
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Publish Date: 2026-05-13
URL: CVE-2026-45740
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/CVE-2026-45740
Release Date: 2026-05-13
Fix Resolution (protobufjs): 7.5.8
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44294
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2pr8-phx7-x9h3
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-13
URL: CVE-2026-44292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fx83-v9x8-x52w
Release Date: 2026-05-12
Fix Resolution (protobufjs): 7.5.6
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - utf8-1.1.0.tgz, protobufjs-7.5.4.tgz
utf8-1.1.0.tgz
A minimal UTF8 implementation for number arrays.
Library home page: https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
protobufjs-7.5.4.tgz
Protocol Buffers for JavaScript (& TypeScript).
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.
Publish Date: 2026-05-13
URL: CVE-2026-44288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (@protobufjs/utf8): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Fix Resolution (protobufjs): 1.1.1
Direct dependency fix Resolution (@storm-stack/plugin-log-otel): 0.27.1
Step up your Open Source Security Game with Mend here