CVE-2026-44289

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2

Description protobufjs can recurse without a depth limit while decoding nested protobuf data, specifically when skipping unknown group fields and during the generated decoding of nested message fields. A crafted protobuf binary payload can exhaust the JavaScript call stack, leading to a process crash or decoding failure due to a stack overflow. This occurs when an application decodes untrusted protobuf binary input containing deeply nested structures, such as nested group tags or nested message fields.

Recommendations Update to version 7.5.6. Update to version 8.0.2. Avoid decoding untrusted protobuf binary data. Reject excessively nested messages at an outer protocol boundary where feasible. Isolate protobuf decoding in a process that can be safely restarted.