CVE-2026-45740: DoS in protobuf.js
Plattform
nodejs
Komponente
protobufjs
Behoben in
7.5.8
CVE-2026-45740 describes a Denial of Service (DoS) vulnerability discovered in protobuf.js, a JavaScript library for compiling protobuf definitions. An attacker can exploit this vulnerability by providing a specially crafted JSON descriptor that triggers excessive recursion during descriptor loading, potentially leading to a crash or service unavailability. This issue affects versions 7.0.0 up to, but not including, 8.2.0. A patch is available in version 7.5.8 and 8.2.0.
Auswirkungen und Angriffsszenarien
The primary impact of CVE-2026-45740 is a denial of service. A successful exploit can cause the application using protobuf.js to crash or become unresponsive, disrupting service availability. The vulnerability stems from the lack of depth limits when expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). An attacker could craft a malicious JSON descriptor with deeply nested namespace definitions, forcing the JavaScript engine to exhaust its call stack. This could impact any application relying on protobuf.js for data serialization and deserialization, particularly those handling untrusted input.
Ausnutzungskontext
CVE-2026-45740 was published on 2026-05-13. Its severity is rated as Medium (CVSS 5.3). Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on CISA KEV. The absence of public exploits does not diminish the risk, especially for systems handling untrusted data.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Keine — kein Integritätseinfluss.
- Availability
- Niedrig — partieller oder intermittierender Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The recommended mitigation for CVE-2026-45740 is to upgrade to version 7.5.8 or 8.2.0 of protobuf.js. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing input validation to restrict the complexity of JSON descriptors being processed. Specifically, limit the depth of nested namespaces. Web Application Firewalls (WAFs) might be configured to inspect incoming JSON payloads for excessive nesting, although this is not a guaranteed solution. After upgrading, verify the fix by attempting to load a known malicious descriptor (if available) and confirming that the application does not crash or exhibit excessive resource consumption.
So behebenwird übersetzt…
Actualice a la versión 7.5.8 o superior, o a la versión 8.2.0 o superior para mitigar la vulnerabilidad de denegación de servicio. La actualización corrige la falta de un límite de profundidad en la expansión de descriptores JSON anidados, previniendo el agotamiento de la pila de llamadas.
Häufig gestellte Fragen
What is CVE-2026-45740 — DoS in protobuf.js?
CVE-2026-45740 is a Denial of Service vulnerability in protobuf.js where a crafted JSON descriptor can exhaust the JavaScript call stack, causing service disruption. It affects versions 7.0.0 through 8.1.99.
Am I affected by CVE-2026-45740 in protobuf.js?
You are affected if your application uses protobuf.js versions 7.0.0 through 8.1.99 and processes untrusted JSON data. Check your dependencies to determine if you are using a vulnerable version.
How do I fix CVE-2026-45740 in protobuf.js?
Upgrade to version 7.5.8 or 8.2.0 of protobuf.js. If immediate upgrade isn't possible, implement input validation to restrict JSON descriptor complexity.
Is CVE-2026-45740 being actively exploited?
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-45740, but the risk remains due to the potential for exploitation.
Where can I find the official protobuf.js advisory for CVE-2026-45740?
Refer to the official protobuf.js repository or website for the latest security advisories and updates related to CVE-2026-45740.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...