Skip to main content

protobufjs CVE-2026-48712

| EUVDEUVD-2026-38306 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-15 https://github.com/protobufjs/protobuf.js GHSA-wcpc-wj8m-hjx6
7.5
CVSS 3.1 · Vendor: https://github.com/protobufjs/protobuf.js
Share

Severity by source

Vendor (https://github.com/protobufjs/protobuf.js) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote untrusted protobuf input with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); only availability is impacted via process crash (C:N/I:N/A:H), scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).

CVSS VectorVendor: https://github.com/protobufjs/protobuf.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 17:55 vuln.today
Analysis Generated
Jun 15, 2026 - 17:55 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Summary

protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.

A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.

Impact

An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.

This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).

Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.

Preconditions

  • The application must decode protobuf binary data influenced by an attacker.
  • The application schema must include google.protobuf.Any, and the referenced type_url must resolve to a message type in the loaded protobuf root.
  • The application must convert the decoded message to JSON or a plain object through an affected conversion path.
  • The crafted input must contain deeply nested Any values that are expanded during conversion.

Workarounds

Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.

AnalysisAI

{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.

Technical ContextAI

protobufjs is a widely deployed pure-JavaScript implementation of Protocol Buffers for Node.js and browsers, distributed via npm. The flaw is rooted in CWE-674 (Uncontrolled Recursion): the generated toObject() conversion and the custom JSON conversion path for the well-known google.protobuf.Any type recursively expand nested Any wrappers without enforcing a maximum depth. Each Any value carries a type_url pointing at another message type in the loaded protobuf root, so attacker-controlled nesting of Any-in-Any-in-Any forces the conversion code to recurse one stack frame per layer until V8 raises a RangeError and aborts the call. Affected CPEs are pkg:npm/protobufjs across both the 7.x and 8.x release lines.

RemediationAI

Vendor-released patches are available: upgrade protobufjs to 7.6.1 on the 7.x line or to 8.4.1 on the 8.x line, as documented in GHSA-wcpc-wj8m-hjx6 (https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6). If immediate upgrade is not possible, the vendor recommends avoiding JSON or plain-object conversion of untrusted messages that contain google.protobuf.Any (i.e. refrain from calling JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }) on attacker-influenced inputs), rejecting or depth-limiting Any-bearing payloads at an outer protocol boundary such as an API gateway, or isolating message conversion inside a worker process that can be safely restarted on crash. Trade-offs: disabling JSON conversion may break clients that expect a JSON response, depth-limiting at the boundary requires custom parsing logic, and worker isolation increases operational complexity and latency.

Share

CVE-2026-48712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy