protobufjs Flaw CVE-2026-45740 Enables DoS via Deeply Nested JSON

Executive Summary

A high-severity vulnerability in the widely used protobufjs library — tracked as CVE-2026-45740 with a CVSS score of 7.5 — allows remote attackers to trigger a denial-of-service condition by exhausting the JavaScript call stack. The flaw resides in how protobufjs processes JSON descriptors through Root.fromJSON() and Namespace.addJSON(). Versions prior to 7.5.8 and 8.2.0 are affected. An attacker who can supply a crafted JSON descriptor with deeply nested namespace definitions can crash any Node.js application that loads untrusted protobuf definitions, making this a serious concern for developers who expose protobuf parsing to external input.

Technical Analysis

protobufjs is a popular JavaScript library that compiles Protocol Buffers (protobuf) definitions into JavaScript functions. It is used extensively in Node.js ecosystems for serialization and RPC frameworks, including gRPC-web and custom API gateways. The vulnerability was discovered internally by the protobufjs maintainers and disclosed via a GitHub Security Advisory (GHSA-jggg-4jg4-v7c6).

The core issue is the absence of a depth limit when the library recursively expands nested JSON descriptors. When Root.fromJSON() or Namespace.addJSON() processes a JSON object that contains deeply nested namespace definitions, the recursive descent proceeds without bound. A specially crafted input with, for example, hundreds of nested "nested" keys can cause the JavaScript call stack to overflow, crashing the process. The advisory notes that the recursion occurs during the loading phase, not at runtime, meaning the attack surface is any endpoint that accepts protobuf schema definitions in JSON format.

No proof-of-concept code has been publicly released as of this writing, but the advisory describes the attack vector precisely: an attacker-controlled JSON descriptor with excessive nesting depth will exhaust the stack. The fix, implemented in versions 7.5.8 and 8.2.0, adds a configurable depth limit to the recursive parsing routines. By default, the limit is set to 64 levels, which is sufficient for legitimate use cases while blocking malicious nesting.

The vulnerability is classified as a denial-of-service (DoS) because it does not allow code execution or data exfiltration — only process termination. However, in production environments where protobufjs is used in critical services (API gateways, authentication services, or data pipelines), a single crafted request could knock out a node, potentially cascading into broader service disruption if load balancers or retry logic amplify the failure.

Mitigations & Recommendations

Organizations using protobufjs should immediately upgrade to version 7.5.8 (for the 7.x branch) or 8.2.0 (for the 8.x branch). The fix introduces a default nesting depth of 64, which is safe for all known legitimate protobuf schemas. Developers who require deeper nesting can adjust the limit via the new parseOptions.depth parameter, but this is strongly discouraged unless absolutely necessary.

For teams that cannot upgrade immediately, the primary mitigation is to restrict the sources of protobuf JSON descriptors. Do not accept user-supplied or untrusted JSON descriptors from network endpoints. Validate all incoming descriptors against a schema whitelist or parse them in a sandboxed process with a hard memory limit. Additionally, application monitoring should alert on process crashes that coincide with protobuf parsing activity, as these may indicate exploitation attempts.

No workaround exists within the library itself for unpatched versions — the recursion is inherent to the parsing logic. The only reliable defense is patching.