CVE-2026-45740: DoS in protobuf.js
Platform
nodejs
Component
protobufjs
Fixed in
7.5.8
CVE-2026-45740 describes a Denial of Service (DoS) vulnerability in protobuf.js, a JavaScript library for compiling protobuf definitions. An attacker can exploit this flaw by providing a specially crafted JSON descriptor that triggers excessive recursion during descriptor loading, ultimately exhausting the JavaScript call stack and causing the application to crash. This vulnerability affects versions 7.0.0 through 8.2.0 and is resolved in version 7.5.8.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-45740 can lead to a complete denial of service for applications relying on protobuf.js. The attacker doesn't need to authenticate or have any prior access; simply providing the malicious JSON descriptor is sufficient to trigger the vulnerability. This can disrupt critical services, rendering applications unavailable to legitimate users. The impact is particularly severe in environments where protobuf.js is used to process external data, such as API endpoints or data ingestion pipelines, as an attacker could easily inject the malicious descriptor. The blast radius extends to any application or service dependent on the vulnerable protobuf.js library.
Exploitation Context
CVE-2026-45740 is not currently listed on KEV or EPSS. The CVSS score of 5.3 indicates a medium probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the relatively simple nature of the exploit. The vulnerability was published on 2026-05-13, so active exploitation campaigns are not yet confirmed, but the ease of exploitation suggests potential for future attacks.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-45740 is to upgrade to version 7.5.8 or 8.2.0 of protobuf.js. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing input validation to restrict the complexity of JSON descriptors processed by protobuf.js. Specifically, limit the nesting depth of JSON objects. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. Monitor application logs for excessive memory usage or stack overflows, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to load a known malicious JSON descriptor (obtained from security advisories or vulnerability databases) and verifying that it no longer causes a crash.
How to fix
Actualice a la versión 7.5.8 o superior, o a la versión 8.2.0 o superior para mitigar la vulnerabilidad de denegación de servicio. La actualización corrige la falta de un límite de profundidad en la expansión de descriptores JSON anidados, previniendo el agotamiento de la pila de llamadas.
Frequently asked questions
What is CVE-2026-45740 — DoS in protobuf.js?
CVE-2026-45740 is a Denial of Service vulnerability in protobuf.js affecting versions 7.0.0 through 8.1.9. A crafted JSON descriptor can exhaust the JavaScript call stack, causing the application to crash and become unavailable.
Am I affected by CVE-2026-45740 in protobuf.js?
You are affected if your application uses protobuf.js versions 7.0.0 through 8.1.9. Check your project dependencies to determine if you are using a vulnerable version.
How do I fix CVE-2026-45740 in protobuf.js?
Upgrade to version 7.5.8 or 8.2.0 of protobuf.js. If upgrading is not immediately possible, consider implementing input validation to limit the complexity of JSON descriptors.
Is CVE-2026-45740 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's simplicity suggests a potential for future attacks. Monitor your systems for suspicious activity.
Where can I find the official protobuf.js advisory for CVE-2026-45740?
Refer to the official protobuf.js GitHub repository and related security advisories for the most up-to-date information and announcements regarding CVE-2026-45740.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...