CVE-2026-59877
protobufjs: Denial of Service via infinite loop in .proto option parsing
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.
| CWE | CWE-835 |
| Vendor | protobufjs |
| Product | protobuf.js |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for protobufjs protobuf.js
Be the first to know when new medium vulnerabilities affecting protobufjs protobuf.js are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
protobufjs / protobuf.js
>= 7.5.0, < 7.6.5 >= 8.0.0, < 8.6.6
References
github.com: https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww github.com: https://github.com/protobufjs/protobuf.js/pull/2352 github.com: https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217 github.com: https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f github.com: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5 github.com: https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6