DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-45740: CVE-2026-45740: Uncontrolled Recursion in protobufjs Leading to Denial of Service

#security #cve #cybersecurity

CVE-2026-45740: Uncontrolled Recursion in protobufjs Leading to Denial of Service

Vulnerability ID: CVE-2026-45740
CVSS Score: 5.3
Published: 2026-05-19

An uncontrolled recursion vulnerability exists in the protobufjs library prior to versions 7.5.8 and 8.2.0. The lack of depth limits in the JSON descriptor parsing logic allows attackers to cause a stack overflow and crash the Node.js process via deeply nested payloads.

TL;DR

protobufjs fails to enforce recursion limits during JSON parsing, allowing remote attackers to crash the Node.js process via deeply nested schema payloads.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-674
  • Attack Vector: Network-based
  • CVSS Base Score: 5.3 (NVD) / 7.5 (Scanners)
  • EPSS Score: 0.00058
  • Impact: Denial of Service (Process Crash)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications utilizing protobufjs < 7.5.8
  • Node.js applications utilizing protobufjs 8.0.0 - 8.1.9
  • protobufjs: < 7.5.8 (Fixed in: 7.5.8)
  • protobufjs: >= 8.0.0, < 8.2.0 (Fixed in: 8.2.0)

Code Analysis

Commit: 9050289

Introduced depth tracking and recursion limits to JSON descriptor parsing.

Exploit Details

  • Research Context: Proof of Concept demonstrating process crash via 2000-level nested JSON structure

Mitigation Strategies

  • Upgrade protobufjs to patched versions (7.5.8 or 8.2.0+)
  • Implement application-level pre-validation to restrict JSON nesting depth
  • Reject externally provided schemas if dynamic compilation is not strictly required

Remediation Steps:

  1. Identify projects utilizing protobufjs via dependency analysis (e.g., npm audit, package-lock.json review)
  2. Update the package.json to require protobufjs ^7.5.8 or ^8.2.0
  3. Execute package manager update commands to pull the latest versions
  4. Verify the application test suite executes correctly against the patched version
  5. Deploy the updated application build to production environments

References

Read the full report for CVE-2026-45740 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)