SB2026070401 - Infinite loop in protobuf.js
Published: July 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Infinite loop (CVE-ID: N/A)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with unreachable exit condition in the reflection parsing path when parsing attacker-influenced .proto schema text. A remote attacker can provide a crafted schema with an unterminated option declaration to cause a denial of service.
The issue affects parsing through parse, Root.load, and Root.loadSync, and can block the Node.js event loop until the process is externally terminated.
Remediation
Install update from vendor's website.