protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

Description

protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON().

A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading.

Recommendation

Update the protobufjs package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0, < 8.2.0

  <= 7.5.7**

• Patched version(s): **8.2.0

  7.5.8**

References

• GHSA-jggg-4jg4-v7c6
• CVE-2026-45740
• CWE-674
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
• protobuf.js: Denial of service through unbounded protobuf recursion - CVE-2026-44289
• Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

protobufjs