CVE-2026-59877
MEDIUM
5.3
CVSS 3.1
Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| protobufjs | protobuf.js | — | >= 7.5.0, < 7.6.5, >= 8.0.0, < 8.6.6 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-835 | cna | CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (6)
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww
- https://github.com/protobufjs/protobuf.js/pull/2352 https://github.com/protobufjs/protobuf.js/pull/2352
- https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217 https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217
- https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5 https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6 https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6