CVE-2026-54270
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.
Risk Assessment
Organizations may experience performance issues and excessive memory consumption when applications decode untrusted protobuf data. This could lead to application crashes or service degradation.
Recommendation
It is recommended to upgrade to protobufjs version 8.6.2 or later to take advantage of the default unknown field discarding. Additionally, applications should be configured to use decoding options that disable unknown field retention.
Original NVD description (English source)
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.

