Skip to main content

Protobuf Js EUVDEUVD-2026-42310

| CVE-2026-59877 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Trivial, automatable trigger (AC:L) once untrusted schema reaches the parser with no auth or interaction (PR:N/UI:N); availability-only infinite-loop DoS gives A:H, C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 10, 2026 - 19:14 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 10, 2026 - 19:14 vuln.today
Analysis Updated
Jul 10, 2026 - 19:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 19:07 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 19:07 NVD
MEDIUM HIGH
CVSS changed
Jul 10, 2026 - 19:07 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:47 vuln.today

DescriptionNVD

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.

AnalysisAI

Denial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/browsers) affects versions 8.0.0 through <8.6.6 and 7.5.0 through <7.6.5. When the parser reads an option declaration in a .proto schema it advances through tokens looking for '=' without checking for end-of-input, so a truncated schema (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Audit all Node.js and browser applications to identify those using protobuf.js and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy