CVE-2026-45740 Overview
CVE-2026-45740 affects protobufjs, a widely used Node.js library that compiles Protocol Buffer definitions into JavaScript functions. Versions prior to 7.5.8 and 8.2.0 recurse without a depth limit when expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor containing deeply nested namespace definitions exhausts the JavaScript call stack during descriptor loading. The flaw is tracked under [CWE-674] (Uncontrolled Recursion) and results in a denial of service condition for any application loading attacker-controlled descriptors.
Critical Impact
Remote attackers can crash Node.js services that parse untrusted protobuf JSON descriptors, causing high-impact availability loss without authentication or user interaction.
Affected Products
- protobufjs versions prior to 7.5.8 (7.x branch)
- protobufjs versions prior to 8.2.0 (8.x branch)
- Node.js applications consuming the protobufjs_project:protobufjs package
Discovery Timeline
- 2026-05-13 - CVE-2026-45740 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45740
Vulnerability Analysis
The protobufjs library exposes Root.fromJSON() and Namespace.addJSON() to construct a runtime schema tree from a JSON descriptor object. These functions walk nested nested properties recursively to instantiate child namespaces, types, and enums. The implementation lacks any depth cap or iterative fallback, so each level of nesting consumes a JavaScript stack frame.
When an attacker provides a descriptor with thousands of nested namespaces, the recursive expansion exhausts the V8 call stack. The Node.js process raises a RangeError: Maximum call stack size exceeded and terminates the request handler. In long-running services that load descriptors at request time, this crashes worker processes and breaks downstream API consumers.
Root Cause
The root cause is uncontrolled recursion during descriptor expansion. The schema loader trusts the structural depth of the input JSON. No invariant enforces a maximum nesting level, and no counter tracks recursion depth across addJSON calls. Any caller that accepts protobuf descriptors from an untrusted source inherits the vulnerability.
Attack Vector
Exploitation requires network reachability to an endpoint that calls Root.fromJSON() or Namespace.addJSON() on attacker-supplied input. Common patterns include gRPC gateways, schema registries, and dynamic message brokers that accept JSON-encoded descriptors from clients. The attacker submits a small payload with deeply nested nested objects. No authentication, privileges, or user interaction are required.
No public proof-of-concept code is available. See the GitHub Security Advisory GHSA-jggg-4jg4-v7c6 for vendor technical details.
Detection Methods for CVE-2026-45740
Indicators of Compromise
- Repeated RangeError: Maximum call stack size exceeded errors in Node.js application logs originating in protobufjs source frames such as Namespace.addJSON or Root.fromJSON.
- Unexpected worker process restarts or container OOM-adjacent crashes correlated with inbound requests carrying protobuf JSON payloads.
- HTTP or gRPC requests containing JSON bodies with abnormally deep nested object chains.
Detection Strategies
- Inventory all services using protobufjs via Software Bill of Materials (SBOM) tooling and npm ls protobufjs to identify versions below 7.5.8 or 8.2.0.
- Inspect request bodies at API gateways for JSON structures exceeding a reasonable nesting depth (for example, 32 levels) before they reach application code.
- Correlate process crash telemetry with request traces to identify payloads that trigger stack exhaustion.
Monitoring Recommendations
- Alert on stack trace patterns containing protobufjs frames and RangeError exceptions in centralized logging.
- Track Node.js process restart counts and event loop stalls per service to surface availability regressions.
- Monitor inbound JSON payload size and structural depth distributions for outliers indicative of probing.
How to Mitigate CVE-2026-45740
Immediate Actions Required
- Upgrade protobufjs to 7.5.8 or 8.2.0 or later across all Node.js services and transitive dependencies.
- Audit application code for calls to Root.fromJSON() and Namespace.addJSON() that consume untrusted input.
- Restrict descriptor loading endpoints to authenticated, trusted clients until patching completes.
Patch Information
The maintainers fixed the issue in protobufjs7.5.8 and 8.2.0 by introducing depth enforcement during recursive descriptor expansion. Refer to the GitHub Security Advisory GHSA-jggg-4jg4-v7c6 for the official fix details and affected version ranges.
Workarounds
- Validate and reject JSON descriptors whose nesting depth exceeds an application-specific bound before invoking protobufjs loaders.
- Wrap descriptor loading in a worker thread or child process so stack exhaustion does not terminate the main service.
- Prefer loading .proto files from trusted on-disk sources rather than dynamic JSON input from network clients.
# Upgrade protobufjs to a patched release
npm install protobufjs@^8.2.0
# or for the 7.x branch
npm install protobufjs@^7.5.8
# Verify installed version
npm ls protobufjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
