CVE Catalog

CVE-2026-48712

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

A vulnerability in protobufjs before versions 7.6.1 and 8.4.1 allows exhaustion of the JavaScript call stack when converting decoded protobuf messages to objects or JSON. The issue stems from the lack of a depth limit for recursion when processing nested Any values.

Risk Assessment

An attacker can send a crafted protobuf binary payload containing deeply nested Any values, leading to call stack exhaustion and potential denial of service (DoS) in applications using protobufjs.

Recommendation

Immediately update protobufjs to version 7.6.1 or 8.4.1, depending on the major version in use.

Original NVD description (English source)

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS