CVE-2026-44289 Overview
CVE-2026-44289 is a denial of service vulnerability in protobufjs, a library that compiles Protocol Buffers (protobuf) definitions into JavaScript functions. Versions prior to 7.5.6 and 8.0.2 recurse without a depth limit while decoding nested protobuf data. The flaw affects both the skip routine for unknown group fields and the generated decoder for nested message fields. A remote attacker can submit a crafted protobuf binary payload that exhausts the JavaScript call stack during decoding. The issue is tracked under [CWE-674: Uncontrolled Recursion] and is fixed in 7.5.6 and 8.0.2.
Critical Impact
An unauthenticated attacker can crash any Node.js service that decodes attacker-controlled protobuf data by triggering stack exhaustion, causing service disruption.
Affected Products
- protobufjs versions prior to 7.5.6 (Node.js)
- protobufjs versions prior to 8.0.2 (Node.js)
- Applications and services that decode untrusted protobuf payloads using vulnerable protobufjs releases
Discovery Timeline
- 2026-05-13 - CVE-2026-44289 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44289
Vulnerability Analysis
The vulnerability resides in how protobufjs decodes nested protobuf structures. Protocol Buffers permit deeply nested message and group fields. The library processes these structures recursively, descending one stack frame per nesting level. Without a depth ceiling, attacker-controlled nesting maps directly to JavaScript call stack frames.
When the decoder encounters an unknown group field, the skip routine recurses to traverse the inner group. Generated decoders for known nested message types follow the same recursive pattern. A crafted payload containing thousands of nested groups or messages forces the V8 engine to exceed its maximum call stack size. The runtime throws RangeError: Maximum call stack size exceeded, terminating the request handler or the process.
The impact is restricted to availability. The library does not corrupt memory or expose data, but it stops processing legitimate traffic until the service is restarted or the malicious input is filtered.
Root Cause
The root cause is the absence of a recursion depth limit in both the skip function for unknown groups and the code emitted by the decoder generator for nested message fields. The decoder trusts the structure of the input wire format and follows nesting until input is consumed or the runtime fails.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. Any endpoint that accepts protobuf input and passes it to a vulnerable protobufjs decoder is reachable. Typical targets include gRPC services, REST APIs that accept application/x-protobuf bodies, message queue consumers, and inter-service communication channels. The attacker sends a single small payload with extreme field nesting to exhaust the stack.
No public exploit code is documented for this CVE. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-685m-2w69-288q.
Detection Methods for CVE-2026-44289
Indicators of Compromise
- Repeated RangeError: Maximum call stack size exceeded exceptions thrown from protobufjs decode paths in application logs
- Node.js worker crashes or process restarts correlated with inbound protobuf traffic
- Sudden spikes in 5xx responses or gRPC UNAVAILABLE errors from services that accept protobuf input
- Inbound protobuf payloads that are small in size but contain unusually deep nesting structures
Detection Strategies
- Inventory all Node.js services and dependencies that include protobufjs below 7.5.6 or 8.0.2 using npm ls protobufjs or software composition analysis tooling
- Inspect API gateway and reverse proxy logs for repeated client errors from a single source against protobuf endpoints
- Add structured logging around protobuf decode calls to capture RangeError exceptions with source IP and payload size
Monitoring Recommendations
- Monitor Node.js process restart counts and unhandled exception metrics for services exposing protobuf endpoints
- Alert on bursts of identical malformed protobuf payloads from a single client identifier
- Track dependency versions in CI pipelines and fail builds that pull vulnerable protobufjs ranges
How to Mitigate CVE-2026-44289
Immediate Actions Required
- Upgrade protobufjs to 7.5.6 or 8.0.2 or later across all Node.js applications and transitive dependencies
- Audit lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to confirm the patched version resolves at runtime
- Rebuild and redeploy container images that bundle Node.js services to ensure the patched library is loaded
- Rate-limit unauthenticated protobuf endpoints to reduce exposure while patching is in progress
Patch Information
The maintainers fixed the recursion in protobufjs7.5.6 and 8.0.2. The patched versions enforce a recursion depth limit during both unknown group skipping and nested message decoding. Refer to the protobufjs Security Advisory GHSA-685m-2w69-288q for upgrade details.
Workarounds
- Enforce a maximum request body size on protobuf endpoints to limit the practical nesting depth an attacker can deliver
- Reject protobuf payloads at the gateway when wire-format inspection reveals abnormal nesting depth
- Isolate protobuf decoding inside a worker thread or child process so a stack exhaustion crash does not terminate the parent service
# Configuration example
npm install protobufjs@^7.5.6
# or for the 8.x branch
npm install protobufjs@^8.0.2
npm ls protobufjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
