CVE-2026-59877
MEDIUM SEVERITYCVSS Score & Metrics
Base Score
5.3 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-835
Source
NVD
Vendor
protobufjs
Product
protobuf.js
External References
- https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217
- https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f
- https://github.com/protobufjs/protobuf.js/pull/2352
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww
Discussion (0)
Add Comment
No comments yet. Be the first!