SB2026070401 - Infinite loop in protobuf.js



SB2026070401 - Infinite loop in protobuf.js

Published: July 4, 2026

Security Bulletin ID SB2026070401
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Infinite loop (CVE-ID: N/A)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to loop with unreachable exit condition in the reflection parsing path when parsing attacker-influenced .proto schema text. A remote attacker can provide a crafted schema with an unterminated option declaration to cause a denial of service.

The issue affects parsing through parse, Root.load, and Root.loadSync, and can block the Node.js event loop until the process is externally terminated.


Remediation

Install update from vendor's website.