protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.

Basic Information

ID CVE-2026-45740

Source GitHub_M

Published May 13, 2026 at 14:46

Affected Product

Vendor protobufjs

Product protobuf.js

Version < 7.5.8

Affected Versions protobufjs protobuf.js < 7.5.8
protobufjs protobuf.js >= 8.0.0, < 8.2.0

CWE Classification

CWE-674

References

github.com /protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6

{
    "lastseen": "",
    "description": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.",
    "published": "2026-05-13T14:46:02.689Z",
    "modified": "2026-05-13T14:46:02.689Z",
    "type": "cve",
    "title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion",
    "source": "GitHub_M",
    "references": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6",
    "id": "CVE-2026-45740",
    "bulletinFamily": "",
    "cwe": [
        "CWE-674"
    ],
    "cvelist": null,
    "sourceData": "protobufjs protobuf.js < 7.5.8\nprotobufjs protobuf.js >= 8.0.0, < 8.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "protobuf.js",
    "version": "< 7.5.8",
    "vendor": "protobufjs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion_CVE-2026-45740