Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

protobufjs is a JavaScript library that compiles Protocol Buffers definitions into executable code. The vulnerability allows a practitioner to craft a JSON descriptor with deeply nested namespace definitions that, when passed to Root.fromJSON() or Namespace.addJSON(), causes the library to recurse without a depth limit. The uncontrolled recursion exhausts the JavaScript call stack during descriptor loading, effectively halting the application that relies on protobuf.js and resulting in a denial of service. The flaw is a classic case of unbounded recursion (CWE‑674).

Affected Systems

The issue affects the protobuf.js library distributed by the protobufjs organisation. All versions of protobuf.js released before 7.5.8 and before 8.2.0 are susceptible to this defect. Applying any later release of either 7.x or 8.x that incorporates the fix mitigates the risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS information is available, so the exploitation likelihood is uncertain, and the vulnerability is not catalogued in the CISA KEV. The most probable attack vector is that an application issuing or accepting a malicious JSON descriptor—such as a user‑provided schema or a configuration payload—could trigger the recursion. If an attacker controls the descriptor content, the application could be rendered unavailable, compromising availability for end users.

Generated by OpenCVE AI on May 13, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the protobuf.js library to version 7.5.8 or later, or 8.2.0 or later.
  • Avoid using Root.fromJSON() or Namespace.addJSON() with untrusted or user‑supplied JSON descriptors in affected versions.
  • Implement input validation or depth‑limit checks on JSON descriptors before passing them to the library, ensuring that excessively nested structures are rejected or truncated.

Generated by OpenCVE AI on May 13, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jggg-4jg4-v7c6 protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Protobufjs Project
Protobufjs Project protobufjs
CPEs cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*
Vendors & Products Protobufjs Project
Protobufjs Project protobufjs

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Title protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Protobuf Protobuf
Protobufjs Project Protobufjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:20:12.394Z

Reserved: 2026-05-13T06:54:34.219Z

Link: CVE-2026-45740

cve-icon Vulnrichment

Updated: 2026-05-13T18:14:56.640Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:17:00.520

Modified: 2026-05-13T20:50:15.587

Link: CVE-2026-45740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses