CVE-2026-48712

Name of the Vulnerable Software and Affected Versions protobufjs (affected versions not specified)

Description An issue exists where the software could recurse without a depth limit during the conversion of decoded messages to plain objects or JSON. This specifically affects the generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values can exhaust the JavaScript call stack, leading to a process crash or message conversion failure via a stack overflow. This occurs when applications decode untrusted protobuf input containing google.protobuf.Any values and subsequently convert them using JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON. Reject or limit messages with deeply nested Any payloads at an outer protocol boundary. Isolate message conversion in a process that can be safely restarted.