protobufjs compiles protobuf definitions into JavaScript functions. Versions prior to 8.6.0 and 7.6.3 accepted certain schema‑derived names that could collide with properties used by the protobufjs runtime helper modules. These collisions allowed the library to treat data from the message schema as internal helpers during decoding, verification, conversion, JSON serialization, or RPC invocation. As a result, deterministic exceptions were raised or unbounded recursive calls occurred, leading to application crashes or unresponsive services. The weakness is reflected in CWE‑674 (Uncontrolled Recursion) and CWE‑754 (Use of Insecure Random Number Generator) as the code performs unchecked recursive logic when processing the malicious schema fields.

The vulnerability affects any software that imports the protobufjs library and uses protobuf definitions that include fields named hasOwnProperty, field, oneof names such as $type, or service methods whose generated helper name is rpcCall. Project codebases that compile messages or services with these names and run on older protobufjs releases (any version earlier than 8.6.0 or 7.6.3) are susceptible. No additional proprietary products are listed beyond the protobuf.js library.

The CVSS score of 5.3 indicates a medium severity vulnerability. EPSS data is unavailable, so the probability of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to provide or manipulate a protobuf schema definition that the application processes at runtime. If the application accepts untrusted or dynamically loaded schemas, the attacker could trigger the crash or denial‑of‑service condition, impacting availability of the affected service.