CVE Catalog

CVE-2026-54270

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.

Risk Assessment

Organizations may experience performance issues and excessive memory consumption when applications decode untrusted protobuf data. This could lead to application crashes or service degradation.

Recommendation

It is recommended to upgrade to protobufjs version 8.6.2 or later to take advantage of the default unknown field discarding. Additionally, applications should be configured to use decoding options that disable unknown field retention.

Original NVD description (English source)

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS