CVE-2026-44288: protobufjs has overlong UTF-8 decoding

May 12, 2026

protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.

The issue concerns overlong encodings and code points outside the Unicode range. protobufjs may still accept some non-strict UTF-8 input for compatibility, so applications should not rely on protobufjs as a general-purpose strict UTF-8 validator.

References

github.com/advisories/GHSA-q6x5-8v7m-xcrf
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2
github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf
nvd.nist.gov/vuln/detail/CVE-2026-44288

Code Behaviors & Features

Detect and mitigate CVE-2026-44288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →