CVE-2026-54270

MEDIUM EPSS 20.9%
Published Jun 22, 20261w ago · Modified Jun 23, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 1w ago

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
20.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-770

References 1

  • github.com https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-94rc-8x27-4472

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.