Infinite loop in protobuf.js - #VU136898

 

Infinite loop in protobuf.js - #VU136898

Published: July 4, 2026


Vulnerability identifier: #VU136898
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: protobuf.js
Affected software:
protobuf.js

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to loop with unreachable exit condition in the reflection parsing path when parsing attacker-influenced .proto schema text. A remote attacker can provide a crafted schema with an unterminated option declaration to cause a denial of service.

The issue affects parsing through parse, Root.load, and Root.loadSync, and can block the Node.js event loop until the process is externally terminated.


Remediation

Install security update from vendor's website.

Sources