Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote untrusted protobuf input with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); only availability is impacted via process crash (C:N/I:N/A:H), scope unchanged.
Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).
CVSS VectorVendor: https://github.com/protobufjs/protobuf.js
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionCVE.org
Summary
protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.
A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.
Impact
An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.
This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).
Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The application schema must include
google.protobuf.Any, and the referencedtype_urlmust resolve to a message type in the loaded protobuf root. - The application must convert the decoded message to JSON or a plain object through an affected conversion path.
- The crafted input must contain deeply nested
Anyvalues that are expanded during conversion.
Workarounds
Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.
AnalysisAI
{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.
Technical ContextAI
protobufjs is a widely deployed pure-JavaScript implementation of Protocol Buffers for Node.js and browsers, distributed via npm. The flaw is rooted in CWE-674 (Uncontrolled Recursion): the generated toObject() conversion and the custom JSON conversion path for the well-known google.protobuf.Any type recursively expand nested Any wrappers without enforcing a maximum depth. Each Any value carries a type_url pointing at another message type in the loaded protobuf root, so attacker-controlled nesting of Any-in-Any-in-Any forces the conversion code to recurse one stack frame per layer until V8 raises a RangeError and aborts the call. Affected CPEs are pkg:npm/protobufjs across both the 7.x and 8.x release lines.
RemediationAI
Vendor-released patches are available: upgrade protobufjs to 7.6.1 on the 7.x line or to 8.4.1 on the 8.x line, as documented in GHSA-wcpc-wj8m-hjx6 (https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6). If immediate upgrade is not possible, the vendor recommends avoiding JSON or plain-object conversion of untrusted messages that contain google.protobuf.Any (i.e. refrain from calling JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }) on attacker-influenced inputs), rejecting or depth-limiting Any-bearing payloads at an outer protocol boundary such as an API gateway, or isolating message conversion inside a worker process that can be safely restarted on crash. Trade-offs: disabling JSON conversion may break clients that expect a JSON response, depth-limiting at the boundary requires custom parsing logic, and worker isolation increases operational complexity and latency.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38306
GHSA-wcpc-wj8m-hjx6