The vulnerability arises when protobuf.js retains unknown wire elements during decoding, allowing crafted protobuf messages to occupy far more memory than the original payload size. This memory amplification can degrade application performance or exhaust available memory, potentially leading to a denial‑of‑service condition. The weakness is a CWE‑770 memory allocation issue, where excessive memory is allocated for decoding without proper bounds enforcement.

The affected product is protobuf.js, versions 8.2.0 through 8.4.2. These releases preserved unknown fields in the message.$unknowns structure and lacked an option to discard them at decode time. Starting with version 8.5.0 an option was added to control this behavior, and version 8.6.2 changed the default so that unknown fields are discarded unless explicitly opted into. Applications using vulnerable versions that process untrusted protobuf data are at risk.

The CVSS score of 5.3 indicates a moderate severity assessment. Because no EPSS score is available, the exploitation probability is not quantified, and the vulnerability is not listed in CISA's KEV catalog, the risk profile remains moderate but still relevant to any system that decodes externally supplied protobuf messages. The most likely attack vector involves an orchestrated delivery of a malicious protobuf payload to a service or library that uses protobuf.js to parse it; by flooding the decoder with numerous unknown fields the attacker can trigger excessive memory growth in the hosting process. The default setting in vulnerable releases causes the decoder to retain all unknown fields, amplifying memory usage across the application.