Skip to main content

protobufjs EUVD-2026-30039

| CVE-2026-45740 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-13 GitHub_M GHSA-jggg-4jg4-v7c6
Information Disclosure Protobuf Js
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 13, 2026 - 16:33 EUVD
Analysis Generated
May 13, 2026 - 16:01 vuln.today
CVE Published
May 13, 2026 - 14:46 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,193 npm packages depend on protobufjs (67 direct, 1,127 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionGitHub Advisory

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.

AnalysisAI

Uncontrolled recursion in protobufjs versions prior to 7.5.8 and 8.2.0 allows remote attackers to exhaust the JavaScript call stack by providing crafted JSON descriptors with deeply nested namespace definitions to Root.fromJSON() or Namespace.addJSON(), causing a denial of service. The vulnerability requires only network access and no authentication, though exploitation depends on the application parsing untrusted protobuf JSON descriptors.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker crafts malicious JSON descriptor
Delivery
Delivers descriptor to vulnerable parser
Exploit
Root.fromJSON() or Namespace.addJSON() begins recursive expansion
Install
Deeply nested namespaces accumulate on call stack
C2
Call stack limit exceeded
Execute
JavaScript process crashes
Impact
Denial of service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability can be exploited only when the application calls Root.fromJSON() or Namespace.addJSON() with a JSON descriptor sourced from an attacker-controlled or untrusted input stream. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 5.3 (Medium) reflects a network-accessible denial-of-service vulnerability with low attack complexity and no authentication requirement, but limited scope and impact (availability only - no confidentiality or integrity breach). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious protobuf JSON descriptor file containing a namespace structure nested to extreme depth (potentially thousands of levels). The attacker delivers this descriptor to an application that parses user-uploaded protobuf definitions or fetches them from an untrusted source. …
Remediation Upgrade protobufjs to version 7.5.8 or 8.2.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-30039 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy