Skip to main content

protobufjs EUVDEUVD-2026-38307

| CVE-2026-54269 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-06-15 https://github.com/protobufjs/protobuf.js GHSA-f38q-mgvj-vph7
5.3
CVSS 3.1 · Vendor: https://github.com/protobufjs/protobuf.js
Share

Severity by source

Vendor (https://github.com/protobufjs/protobuf.js) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable schema injection requires no authentication; availability impact is partial and scoped to the affected API processing path only, with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).

CVSS VectorVendor: https://github.com/protobufjs/protobuf.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 17:58 vuln.today
Analysis Generated
Jun 15, 2026 - 17:58 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Summary

protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall.

When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation.

Impact

An attacker who can provide or influence protobuf schemas or protobufjs JSON descriptors may be able to make affected message or service types unusable, resulting in denial of service for the affected processing path.

Applications using only trusted schemas are affected only if those schemas contain one of the problematic names and the application reaches the affected API path.

The issue is not known to allow code execution by itself.

Preconditions

  • The application must use an affected protobufjs version.
  • The application must load or use a schema or protobufjs JSON descriptor containing one of the problematic names:
  • a field named hasOwnProperty,
  • a field or oneof named $type through protobufjs JSON/reflection descriptor input,
  • or a service method whose generated helper name is rpcCall.
  • The application must reach the affected API path for that name: required-field decode post-checks, verify, or toObject for hasOwnProperty; reflected message JSON serialization for $type; or protobufjs RPC service invocation for rpcCall.

Workarounds

Do not load protobuf schemas or protobufjs JSON descriptors from untrusted sources with affected versions. If untrusted schemas or descriptors must be accepted, validate schema-derived field, oneof, and service method names before loading and reject the problematic names described above.

Applications using trusted schemas can avoid the issue by renaming affected fields or service methods, or by avoiding the affected API path.

AnalysisAI

Schema-name shadowing in protobufjs (npm packages protobufjs and protobufjs-cli) enables denial of service when an attacker can supply or influence protobuf schemas containing field or service method names that collide with JavaScript runtime-significant identifiers used by the protobufjs runtime. Affected names - specifically a field named hasOwnProperty, a field or oneof named $type via JSON/reflection descriptors, and service methods whose generated helper resolves to rpcCall - cause the runtime to read schema-controlled data in place of expected internal helpers, producing deterministic exceptions or uncontrolled recursion (CWE-674) across decode, verification, serialization, and RPC invocation paths. No public exploit has been identified and no active exploitation is confirmed; the misleading 'RCE' tag in the intelligence metadata is directly contradicted by the vendor advisory, which explicitly states the issue is not known to allow code execution.

Technical ContextAI

protobufjs (pkg:npm/protobufjs) is the canonical JavaScript/TypeScript implementation of Protocol Buffers for Node.js and browser environments. The library generates runtime objects and service stubs from schema definitions, attaching internal helpers such as hasOwnProperty (inherited from Object.prototype), $type (reflected type metadata used in JSON serialization), and rpcCall (base RPC service helper) directly onto generated message and service objects. JavaScript's prototype-based property lookup means that if a schema defines a field or method using one of these reserved names, the generated object's own-property assignment shadows the prototype-chain or runtime-assigned helper. When protobufjs subsequently attempts to call what it believes is an internal utility, it instead invokes or reads the schema-derived value, causing either a TypeError (if the value is not callable) or recursive self-invocation leading to stack exhaustion - the class of failure described by CWE-674 (Uncontrolled Recursion). The vulnerability surfaces in verify, toObject, required-field decode post-checks, reflected JSON serialization, and RPC service invocation. Companion package protobufjs-cli (pkg:npm/protobufjs-cli) is also affected because it performs schema loading and code generation using the same library.

RemediationAI

Upgrade protobufjs to version 7.6.3 (for the 7.x series) or 8.6.0 (for the 8.x series), and upgrade protobufjs-cli to version 1.3.3 (for the 1.x series) or 2.5.1 (for the 2.x series). These fix versions are confirmed by the vendor advisory at https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7. If immediate upgrade is not feasible, the vendor-documented workaround is to reject untrusted schema input entirely - do not load protobuf schemas or protobufjs JSON descriptors from external or user-controlled sources until patched. If untrusted schemas must be accepted, implement pre-load validation that inspects field names, oneof names, and service method generated helper names and rejects any that match hasOwnProperty, $type, or rpcCall; note that this requires understanding protobufjs name-generation logic to enumerate all rpcCall-colliding method names. For applications using only trusted schemas, rename any fields, oneofs, or service methods using the problematic identifiers, or avoid invoking the affected API paths (verify, toObject, reflected JSON serialization, RPC invocation) on types containing those names as a compensating control - though this may limit application functionality.

Share

EUVD-2026-38307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy