Description
protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0, <= 8.0.1 <= 7.5.5** Patched version(s): **8.0.2 7.5.6**
References
Related Issues
- protobuf.js: Process-wide denial of service through unsafe option paths - CVE-2026-44290
- protobuf.js: Denial of service from crafted field names in generated code - CVE-2026-44294
- protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - CVE-2026-45740
- protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 14, 2026