CVE-2026-45740

MEDIUM

protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

Title source: cna

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (5)

npm/protobufjs 0 - 7.5.8npm

npm/protobufjs 8.0.0 - 8.2.0npm

protobufjs/protobuf.js < 7.5.8

protobufjs/protobuf.js >= 8.0.0, < 8.2.0

protobufjs_project/protobufjs < 7.5.8

Published May 13, 2026

Tracked Since May 13, 2026