Uncontrolled Recursion Affecting protobufjs package, versions <7.6.1>=8.0.0 <8.4.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Uncontrolled Recursion vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-PROTOBUFJS-17353320
- published17 Jun 2026
- disclosed15 Jun 2026
- creditYue (Knox) Liu, Song Jihoon
Introduced: 15 Jun 2026
NewCVE-2026-48712 (opens in a new tab)How to fix?
Upgrade protobufjs to version 7.6.1, 8.4.1 or higher.
Overview
protobufjs is a protocol buffer for JavaScript (& TypeScript).
Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested Any values that are expanded during conversion. This is only exploitable if the application decodes attacker-influenced protobuf binary data, the schema includes google.protobuf.Any, the referenced type_url resolves to a loaded message type, and the application converts the decoded message to JSON or a plain object through an affected conversion path with deeply nested Any values.