Uncontrolled Recursion Affecting protobufjs package, versions <7.5.8>=8.0.0 <8.2.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-PROTOBUFJS-16657755
  • published14 May 2026
  • disclosed13 May 2026
  • creditFranciny Rojas

Introduced: 13 May 2026

CVE-2026-45740  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade protobufjs to version 7.5.8, 8.2.0 or higher.

Overview

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Uncontrolled Recursion through the Root.fromJSON or Namespace.addJSON functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions.

Note:

This is only exploitable if all of the following conditions are met:

  • The application must load JSON descriptor data influenced by an attacker.

  • The crafted descriptor must contain deeply nested nested namespace objects.

  • The affected Root.fromJSON() / Namespace.addJSON() descriptor expansion path must process the crafted input.

CVSS Base Scores

version 4.0
version 3.1