CVE-2026-54270
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion in protobufjs Due to Unknown Field Retention

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54270
EUVD
EUVD-2026-38305
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
protobufjs protobufjs From 8.2.0 (inc) to 8.4.2 (inc)
protobufjs protobufjs 8.5.0
protobufjs protobufjs 8.6.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by causing your application to consume substantially more memory than expected when decoding untrusted protobuf data containing many unknown fields. This memory amplification can degrade system availability or even cause process termination, leading to denial of service.

The vulnerability has a CVSS v3 base score of 5.3, indicating medium severity, and it affects availability but does not impact confidentiality or integrity.

To mitigate this risk, it is recommended to upgrade to protobufjs version 8.5.0 or later and disable unknown-field retention if it is not needed. Additional mitigations include enforcing input size limits, request concurrency controls, and timeouts at the transport or application level.

Detection Guidance

This vulnerability involves protobufjs versions 8.2.0 through 8.4.2 retaining unknown fields during protobuf decoding, which can cause memory amplification. Detection involves identifying if your system or application is using these vulnerable protobufjs versions and if it processes untrusted protobuf data.

To detect the vulnerability on your system, first check the protobufjs version used by your application. For example, in a Node.js environment, you can run the following command to check the installed protobufjs version:

  • npm list protobufjs

If the version is between 8.2.0 and 8.4.2 inclusive, your system is potentially vulnerable.

To detect exploitation attempts or memory amplification on your system, monitor the memory usage of processes that decode protobuf data, especially if they handle untrusted inputs. You can use commands like:

  • top or htop (Linux) to monitor real-time memory usage
  • ps aux --sort=-rss | head -n 10 to list top memory-consuming processes

Additionally, network monitoring tools can be used to inspect protobuf payloads if you have the capability to decode protobuf messages, but specific commands for this depend on your environment and are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade protobufjs to version 8.5.0 or later, preferably 8.6.2 or newer, where the default behavior discards unknown fields during decoding.

If upgrading immediately is not possible, configure your application to disable unknown-field retention during decode by using the decode-time options introduced in protobufjs 8.5.0.

Additional mitigations include enforcing input size limits, controlling request concurrency, and applying timeouts at the transport or application level to reduce the risk of memory amplification from crafted payloads.

Compliance Impact

This vulnerability impacts system availability by potentially causing memory amplification and process termination when decoding untrusted protobuf data. However, it does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it is less likely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

Nonetheless, the availability impact could indirectly affect compliance if system downtime or denial of service leads to failure in maintaining required service levels or timely access to data.

Mitigations such as upgrading protobufjs to versions 8.5.0 or later, disabling unknown-field retention, and enforcing input-size limits and request controls can help maintain system availability and support compliance efforts.

Executive Summary

CVE-2026-54270 is a memory amplification vulnerability in protobufjs versions 8.2.0 through 8.4.2. The issue arises because the library preserved unknown wire elements in the message.$unknowns field during binary decoding without an option to discard them at decode time. This means that a crafted protobuf payload containing many unknown fields could cause the decoded message to consume significantly more memory than the size of the input data.

This vulnerability was fixed in protobufjs 8.5.0 by adding decode-time options to discard unknown fields, and in 8.6.2 by making discarding unknown fields the default behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart