{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54269", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-12T17:13:32.279Z", "datePublished": "2026-06-22T16:23:24.383Z", "dateUpdated": "2026-06-23T16:09:36.165Z"}, "containers": {"cna": {"title": "protobufjs: Schema-derived names can shadow runtime-significant properties", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.6.3", "status": "affected"}, {"version": ">= 8.0.0, < 8.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T16:23:24.383Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3."}], "source": {"advisory": "GHSA-f38q-mgvj-vph7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T16:07:04.844722Z", "id": "CVE-2026-54269", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T16:09:36.165Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54269", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-12T17:13:32.279Z", "datePublished": "2026-06-22T16:23:24.383Z", "dateUpdated": "2026-06-23T16:09:36.165Z"}, "containers": {"cna": {"title": "protobufjs: Schema-derived names can shadow runtime-significant properties", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.6.3", "status": "affected"}, {"version": ">= 8.0.0, < 8.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T16:23:24.383Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3."}], "source": {"advisory": "GHSA-f38q-mgvj-vph7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54269", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T16:07:04.844722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T16:07:08.694Z"}}]}}

{}

{"bugzilla": {"description": "protobufjs: protobufjs-cli: protobufjs: Denial of Service due to name collision with runtime helpers", "id": "2491473", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491473"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-606", "details": ["protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.", "A flaw was found in protobufjs, a JavaScript (JS) library for compiling protobuf definitions. A remote attacker could exploit this vulnerability by providing specially crafted protobuf definitions or message types that contain names colliding with internal protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls during various operations, ultimately causing a Denial of Service (DoS) in applications using the library."], "mitigation": {"lang": "en:us", "value": "No specific mitigation required for unaffected runtime paths."}, "name": "CVE-2026-54269", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "grafana-infinity-datasource-npm", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-pf5-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-ossmc-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-27/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Not affected", "package_name": "rh-podman-desktop.git", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Not affected", "package_name": "rhceph/alloy-rhel10", "product_name": "Red Hat Ceph Storage 9"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "dotnet9.0", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/bootc-automation-portal-rhel9", "product_name": "Self-service automation portal 2"}], "public_date": "2026-06-22T16:23:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-54269\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-54269\nhttps://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7"], "statement": "Red Hat rates this issue as having Low impact for Red Hat Enterprise Linux AI bootc images. Although protobufjs is present as a transitive dependency, the vulnerable parsing path is not exercised in normal product operation.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.6.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.6.0)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "protobuf.js", "source": "cna", "vendor": "protobufjs"}, "product": "protobuf", "vendor": "protobuf"}], "created": "2026-06-22T19:00:14.184600+00:00", "updated": "2026-06-29T15:00:13.574693+00:00", "vendors": ["protobuf", "protobuf$PRODUCT$protobuf"]}