Skip to main content

protobuf.js CVE-2026-44289

HIGH
Uncontrolled Recursion (CWE-674)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-685m-2w69-288q
7.5
CVSS 3.1 · Vendor: https://github.com/protobufjs/protobuf.js
Share

Severity by source

Vendor (https://github.com/protobufjs/protobuf.js) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).

CVSS VectorVendor: https://github.com/protobufjs/protobuf.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 16:00 vuln.today
Analysis Generated
May 12, 2026 - 16:00 vuln.today
CVE Published
May 12, 2026 - 15:01 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Summary

protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding.

Impact

An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause decoding to fail with a stack overflow.

This affects applications that decode untrusted protobuf binary input with affected versions.

Preconditions

  • The application must decode protobuf binary data influenced by an attacker.
  • The crafted input must contain deeply nested protobuf structures, such as nested group tags or nested message fields.
  • The affected decoder path must process the crafted input.

Workarounds

Avoid decoding untrusted protobuf binary data with affected versions. If immediate upgrade is not possible, reject excessively nested messages at an outer protocol boundary where feasible, or isolate protobuf decoding in a process that can be safely restarted.

AnalysisAI

Remote denial of service in protobuf.js (npm package) allows unauthenticated attackers to crash Node.js processes by sending crafted protobuf payloads with deeply nested structures. The vulnerability affects the binary decoding path where unbounded recursion exhausts the JavaScript call stack. Version 7.5.6 and 8.0.2 patches are available. Applications decoding untrusted protobuf data over network APIs, message queues, or file uploads are at immediate risk. CVSS 7.5 (High) reflects network attack vector with no authentication required.

Technical ContextAI

This vulnerability affects protobuf.js (pkg:npm/protobufjs), a pure JavaScript implementation of Protocol Buffers used for serializing structured data in Node.js and browser environments. The flaw is a classic unbounded recursion issue (CWE-674: Uncontrolled Recursion) in the binary decoder. Protocol Buffers support nested message fields and group tags, which the decoder processes recursively. Without depth limiting, an attacker can construct a protobuf binary with arbitrarily deep nesting that forces the decoder into recursive calls until the JavaScript call stack is exhausted. This affects both the path that skips unknown group fields during decoding and the generated code for decoding nested message fields. Versions 7.5.5 and earlier, plus 8.0.0 through 8.0.1, lack input validation on nesting depth. The fix in 7.5.6 and 8.0.2 (commit 75392ea) introduces input hardening to limit recursion depth during binary decoding.

RemediationAI

Upgrade to patched versions immediately: protobuf.js 7.5.6 for the 7.x branch or 8.0.2 for the 8.x branch, as confirmed in GitHub releases (https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2). The fix backports input hardening that limits recursion depth during binary decoding (commit 75392ea). If immediate upgrade is not feasible, implement the following compensating controls: reject protobuf messages exceeding a reasonable nesting depth at application boundaries before decoding (trade-off: requires custom validation logic and may reject legitimate deeply nested data structures); isolate protobuf decoding in separate worker processes or containers with aggressive restart policies to contain crash impact (trade-off: adds latency and architectural complexity); or disable acceptance of protobuf binary input from untrusted sources and use JSON alternatives temporarily (trade-off: breaks protocol compatibility and may reduce performance). Review all npm dependencies to ensure transitive protobuf.js usage is updated, as many libraries bundle it indirectly.

Vendor StatusVendor

Share

CVE-2026-44289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy