CVE-2026-54269 | protobufjs compiles protobuf definitions into JavaScript (JS… | CVSS 5.3 MEDIUM

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.

Metadata

CVE ID: CVE-2026-54269
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:13 UTC
Published: 2026-06-22 16:23 UTC
Last updated: 2026-06-22 16:23 UTC
Primary CWE: CWE-674
CWE-674: Uncontrolled Recursion
Vendor / Product: protobufjs / protobuf.js
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
protobufjs	protobuf.js	—	< 7.6.3, >= 8.0.0, < 8.6.0

Weakness (CWE)

CWE	Source	Description
CWE-674	cna	CWE-674: Uncontrolled Recursion
CWE-754	cna	CWE-754: Improper Check for Unusual or Exceptional Conditions

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (1)

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7 https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7