Listen to this Post
Protobufjs versions prior to 7.6.1 and 8.4.1 contain an uncontrolled recursion vulnerability when converting decoded messages to plain objects or JSON. The issue exists in the generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A specially crafted protobuf binary payload that includes deeply nested `Any` values can trigger unbounded recursion during the conversion to JSON. This recursion consumes the JavaScript call stack until it overflows, causing the process to crash or become unresponsive. The vulnerability is relevant only for applications that decode untrusted protobuf input containing `google.protobuf.Any` fields and then convert those decoded messages to JSON or plain objects using JSON.stringify(message), MessagetoJSON(), or Type.toObject(message, { json: true }). If an application merely decodes and re‑encodes protobuf binary data without performing a JSON conversion, it is not affected. To exploit the issue, an attacker must supply a protobuf binary message that the application decodes; the application’s schema must include `google.protobuf.Any` and the referenced `type_url` must resolve to a valid message type in the loaded protobuf root. The crafted input must contain deeply nested `Any` values that are expanded only during the JSON conversion step. There is no depth limit enforced during this expansion, allowing an attacker to exhaust the stack and deny service to the application.
DailyCVE Form:
Platform: npm protobufjs
Version: 7.6.0-8.4.0 vulnerable
Vulnerability: Unbounded recursion JSON
Severity: High
date: 2026-06-15
Prediction: 2026-06-15 patch
What Undercode Say:
Analytics:
Check protobufjs version in a Node.js project
npm list protobufjs
Test for the vulnerability with a small script
node -e "const protobuf = require('protobufjs'); console.log(protobuf.version);"
Download the specially crafted protobuf message (example)
curl -O https://example.com/crafted_nested_any.bin
Run the vulnerable conversion (if an application uses the affected method)
node vulnerable_app.js < crafted_nested_any.bin
Exploit:
An attacker crafts a protobuf binary message that contains `google.protobuf.Any` fields nested hundreds of levels deep. When the application decodes this message and subsequently converts it to JSON (e.g., via JSON.stringify(message)), the conversion routine recursively expands each `Any` value without a depth limit. The recursion rapidly exhausts the JavaScript call stack, resulting in a `RangeError: Maximum call stack size exceeded` and crashing the process.
Protection:
- Upgrade protobufjs to version 7.6.1, 8.4.1, or later.
- If an immediate upgrade is impossible, avoid converting untrusted protobuf messages containing `google.protobuf.Any` to JSON.
- Reject or limit messages with deeply nested `Any` payloads at an outer protocol boundary.
- Isolate message conversion in a process that can be safely restarted in case of a stack overflow.
Impact:
Successful exploitation causes a denial‑of‑service (DoS) condition. The application process crashes or becomes unresponsive, disrupting legitimate traffic and potentially leading to prolonged downtime. The vulnerability does not allow data theft or privilege escalation, but its ease of exploitation (a crafted binary payload) makes it a high‑severity risk for any Node.js service that decodes untrusted protobuf input containing `google.protobuf.Any` fields.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
