Denial of Service in protobufjs - protobufjs

Description

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.

Recommendation

Update the protobufjs package to the latest compatible version. Followings are version details:

• Affected version(s): **< 5.0.3

  >= 6.0.0, < 6.8.6**

• Patched version(s): **5.0.3

  6.8.6**

References

• GHSA-762f-c2wg-m8c8
• hackerone.com
• www.npmjs.com
• CVE-2018-3738
• CWE-1333
• CAPEC-310
• OWASP 2021-A6

Related Issues

• protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - CVE-2026-45740
• protobuf.js: Process-wide denial of service through unsafe option paths - CVE-2026-44290
• protobuf.js: Denial of service through unbounded protobuf recursion - CVE-2026-44289
• uap-core Regular Expression Denial of Service issue - CVE-2018-20164

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

protobufjs