Infinite loop in protobuf.js - #VU136898
Published: July 4, 2026
protobuf.js
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with unreachable exit condition in the reflection parsing path when parsing attacker-influenced .proto schema text. A remote attacker can provide a crafted schema with an unterminated option declaration to cause a denial of service.
The issue affects parsing through parse, Root.load, and Root.loadSync, and can block the Node.js event loop until the process is externally terminated.