Executive Summary

CVE-2026-48712 is a high-severity vulnerability in the protobufjs library that affects versions up to 7.6.0 and from 8.0.0 to 8.4.0. The issue arises when protobufjs converts protobuf messages containing deeply nested google.protobuf.Any values into JSON or plain JavaScript objects. The conversion process can recurse without a depth limit, causing the JavaScript call stack to be exhausted and the process to crash.

This happens when an attacker provides a crafted protobuf binary payload with excessive nesting of Any values, triggering unbounded recursion during the conversion. The vulnerability specifically affects the toObject() conversion and the custom google.protobuf.Any JSON conversion path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the application process that uses protobufjs to convert protobuf messages to JSON or plain objects. An attacker can exploit this by sending a specially crafted protobuf payload with deeply nested Any values, exhausting the JavaScript call stack and causing the application to stop functioning.

The attack requires no privileges or user interaction and can be performed remotely over the network, making it a significant risk for applications that handle untrusted protobuf input and perform JSON conversion.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your system or application uses protobufjs versions vulnerable to CVE-2026-48712 (versions <=7.6.0 and >=8.0.0, <=8.4.0) and if it processes untrusted protobuf input containing deeply nested google.protobuf.Any values with JSON conversion.

You can check the protobufjs version used in your project by running commands like:

• npm list protobufjs
• yarn list protobufjs

To detect if your application is processing protobuf messages with deeply nested Any values, you may need to analyze logs or monitor for crashes related to JavaScript call stack exhaustion during JSON conversion.

There are no specific network commands provided to detect crafted protobuf payloads, but monitoring for unusual application crashes or denial of service symptoms during protobuf JSON conversion can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading protobufjs to patched versions 7.6.1 or 8.4.1 where this vulnerability is fixed.

If upgrading is not immediately possible, avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON or plain objects, as the vulnerability is triggered during this conversion.

Additionally, ensure that untrusted protobuf input is validated or sanitized before processing to reduce the risk of denial of service.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0