CVE-2026-48712
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
A vulnerability in protobufjs before versions 7.6.1 and 8.4.1 allows exhaustion of the JavaScript call stack when converting decoded protobuf messages to objects or JSON. The issue stems from the lack of a depth limit for recursion when processing nested Any values.
Risk Assessment
An attacker can send a crafted protobuf binary payload containing deeply nested Any values, leading to call stack exhaustion and potential denial of service (DoS) in applications using protobufjs.
Recommendation
Immediately update protobufjs to version 7.6.1 or 8.4.1, depending on the major version in use.
Original NVD description (English source)
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.

