Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

GHSA-WCPC-WJ8M-HJX6

Vulnerability from github – Published: 2026-06-15 17:30 – Updated: 2026-06-15 17:30
VLAI
Summary
protobufjs: Denial of service through unbounded Any expansion during JSON conversion
Details

Summary

protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.

A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.

Impact

An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.

This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).

Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.

Preconditions

  • The application must decode protobuf binary data influenced by an attacker.
  • The application schema must include google.protobuf.Any, and the referenced type_url must resolve to a message type in the loaded protobuf root.
  • The application must convert the decoded message to JSON or a plain object through an affected conversion path.
  • The crafted input must contain deeply nested Any values that are expanded during conversion.

Workarounds

Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.6.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.4.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:30:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nprotobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path.\n\nA crafted protobuf binary payload containing deeply nested `Any` values could cause the JavaScript call stack to be exhausted during conversion to JSON.\n\n## Impact\n\nAn attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.\n\nThis affects applications that decode untrusted protobuf input containing `google.protobuf.Any` values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through `JSON.stringify(message)`, `Message#toJSON()`, or `Type.toObject(message, { json: true })`.\n\nApplications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.\n\n## Preconditions\n\n* The application must decode protobuf binary data influenced by an attacker.\n* The application schema must include `google.protobuf.Any`, and the referenced `type_url` must resolve to a message type in the loaded protobuf root.\n* The application must convert the decoded message to JSON or a plain object through an affected conversion path.\n* The crafted input must contain deeply nested `Any` values that are expanded during conversion.\n\n## Workarounds\n\nAvoid converting untrusted protobuf messages containing `google.protobuf.Any` values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested `Any` payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted `Any` values, or isolate message conversion in a process that can be safely restarted.",
  "id": "GHSA-wcpc-wj8m-hjx6",
  "modified": "2026-06-15T17:30:15Z",
  "published": "2026-06-15T17:30:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protobufjs/protobuf.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "protobufjs: Denial of service through unbounded Any expansion during JSON conversion"
}