CVE-2026-59877

medium

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5

https://github.com/protobufjs/protobuf.js/pull/2352

https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f

https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217

Details

Source: Mitre, NVD

Published: 2026-07-08

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Severity: Medium