HIGH🇬🇧 English

CVE-2026-48712

CVSS 7.5v3.1pub. 2026-06-22upd. 2026-06-26

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Protobufjs Project Protobufjs

    APP
    Protobufjs Project
    < 7.6.18.0.0 – 8.4.1 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-41242CRITICAL9.4PL ✓ten sam produkt

Wstrzykiwanie kodu w protobuf.js podczas dekodowania definicji

CVE-2023-36665CRITICAL9.8ten sam produkt

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerab...

CVE-2026-44290HIGH7.5ten sam produkt

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs ...

CVE-2026-44289HIGH7.5ten sam produkt

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs ...

CVE-2026-44291HIGH8.1ten sam produkt

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs ...