{"vulnerability": "CVE-2026-45740", "sightings": [{"uuid": "33f73110-1ba8-4449-bfcb-9a7970af9243", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45740", "type": "seen", "source": "https://gist.github.com/alon710/4e72f2de4fd57f71c04d127b90b84200", "content": "# CVE-2026-45740: CVE-2026-45740: Uncontrolled Recursion in protobufjs Leading to Denial of Service\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45740\n\n## Summary\nAn uncontrolled recursion vulnerability exists in the protobufjs library prior to versions 7.5.8 and 8.2.0. The lack of depth limits in the JSON descriptor parsing logic allows attackers to cause a stack overflow and crash the Node.js process via deeply nested payloads.\n\n## TL;DR\nprotobufjs fails to enforce recursion limits during JSON parsing, allowing remote attackers to crash the Node.js process via deeply nested schema payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-674\n- **Attack Vector**: Network-based\n- **CVSS Base Score**: 5.3 (NVD) / 7.5 (Scanners)\n- **EPSS Score**: 0.00058\n- **Impact**: Denial of Service (Process Crash)\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications utilizing protobufjs < 7.5.8\n- Node.js applications utilizing protobufjs 8.0.0 - 8.1.9\n- **protobufjs**: < 7.5.8 (Fixed in: `7.5.8`)\n- **protobufjs**: >= 8.0.0, < 8.2.0 (Fixed in: `8.2.0`)\n\n## Mitigation\n\n- Upgrade protobufjs to patched versions (7.5.8 or 8.2.0+)\n- Implement application-level pre-validation to restrict JSON nesting depth\n- Reject externally provided schemas if dynamic compilation is not strictly required\n\n**Remediation Steps:**\n1. Identify projects utilizing protobufjs via dependency analysis (e.g., npm audit, package-lock.json review)\n2. Update the package.json to require protobufjs ^7.5.8 or ^8.2.0\n3. Execute package manager update commands to pull the latest versions\n4. Verify the application test suite executes correctly against the patched version\n5. Deploy the updated application build to production environments\n\n## References\n\n- [GitHub Security Advisory: GHSA-jggg-4jg4-v7c6](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6)\n- [Protobuf.js Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)\n- [NVD CVE-2026-45740](https://nvd.nist.gov/vuln/detail/CVE-2026-45740)\n- [Fix Commit 9050289](https://github.com/protobufjs/protobuf.js/commit/9050289ad214ea351d3b030cbc74385e81e02d79)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45740) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-19T16:40:49.000000Z"}]}