← Back
2026-06-22 16:21CVE-2026-48712GitHub_M
PUBLISHED5.2CWE-674

protobufjs: Denial of service through unbounded Any expansion during JSON conversion

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.

Problem type

Affected products

protobufjs

protobuf.js

< 7.6.1 - AFFECTED

>= 8.0.0, < 8.4.1 - AFFECTED

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-wcpc-wj8m-hjx6

protobufjs: Denial of service through unbounded Any expansion during JSON conversion

https://github.com/advisories/GHSA-wcpc-wj8m-hjx6

Summary

protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.

A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.

Impact

An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.

This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).

Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.

Preconditions

  • The application must decode protobuf binary data influenced by an attacker.
  • The application schema must include google.protobuf.Any, and the referenced type_url must resolve to a message type in the loaded protobuf root.
  • The application must convert the decoded message to JSON or a plain object through an affected conversion path.
  • The crafted input must contain deeply nested Any values that are expanded during conversion.

Workarounds

Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.

github.com

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6

github.com

https://github.com/advisories/GHSA-wcpc-wj8m-hjx6

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-48712
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-48712",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T16:21:21.506Z",
    "dateReserved": "2026-05-22T18:47:27.755Z",
    "datePublished": "2026-06-22T16:21:21.506Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T16:21:21.506Z"
      },
      "title": "protobufjs: Denial of service through unbounded Any expansion during JSON conversion",
      "descriptions": [
        {
          "lang": "en",
          "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1."
        }
      ],
      "affected": [
        {
          "vendor": "protobufjs",
          "product": "protobuf.js",
          "versions": [
            {
              "version": "< 7.6.1",
              "status": "affected"
            },
            {
              "version": ">= 8.0.0, < 8.4.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-674: Uncontrolled Recursion",
              "cweId": "CWE-674",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6",
          "name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}