Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Protobufjs compiles protobuf schema definitions into JavaScript functions. In versions prior to 7.5.6 and 8.0.2 the decoder does not enforce a recursion depth limit when parsing nested protobuf messages. An attacker can construct a deeply nested protobuf binary that causes the JavaScript call stack to overflow during decoding, terminating or unresponsively consuming server resources. This results in a denial‑of‑service condition and interrupts legitimate traffic.

Affected Systems

The vulnerability affects the protobufjs library under the name protobuf.js. All releases before 7.5.6 and before 8.0.2 are vulnerable. Systems that include this library in any JavaScript or Node.js application are at risk if they process external protobuf data.

Risk and Exploitability

The CVSS v3 score of 7.5 reflects a high impact while the lack of an EPSS value means no current exploitation data is available. Because the attack requires an attacker to supply a malicious protobuf payload, the most likely vector is through network interfaces, file uploads or any API that accepts protobuf messages. The vulnerability is not listed in the CISA KEV catalog; however, the risk of service interruption remains significant if the library is used in exposed services.

Generated by OpenCVE AI on May 13, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobufjs to the latest released version (7.5.6 or newer, including 8.0.2 and later).
  • If an upgrade is not immediately possible, implement validation to reject messages exceeding a reasonable size or depth before decoding, and monitor the application for stack overflow or out‑of‑memory errors.
  • Apply input‑sanitization best practices: ensure that only trusted clients supply protobuf data, or restrict access to endpoints that process serialized protobuf.

Generated by OpenCVE AI on May 13, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-685m-2w69-288q protobuf.js: Denial of service through unbounded protobuf recursion
History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Title protobufjs: Denial of service through unbounded protobuf recursion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:20:18.892Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44289

cve-icon Vulnrichment

Updated: 2026-05-13T18:15:12.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:55.713

Modified: 2026-05-13T20:50:50.140

Link: CVE-2026-44289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses