CVE-2026-59877
Received Received - Intake

ReDoS in protobufjs via Malformed Proto Schema

Vulnerability report for CVE-2026-59877, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
protobufjs protobufjs to 7.6.5 (exc)
protobufjs protobufjs to 8.6.6 (exc)
protobufjs protobufjs From 7.5.0 (inc) to 7.6.5 (exc)
protobufjs protobufjs From 8.0.0 (inc) to 8.6.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59877 is a vulnerability in the protobufjs JavaScript library used for compiling protobuf definitions. The issue arises because the library's parser advances through schema tokens looking for an equals sign (=) to parse option names without checking if it has reached the end of the input. If a crafted .proto schema opens an option declaration but ends prematurely, this causes the parser to enter an infinite loop.

This infinite loop occurs during parsing operations such as parse, Root.load, or Root.loadSync, effectively causing the application to hang indefinitely.

Compliance Impact

The vulnerability CVE-2026-59877 causes an infinite loop during parsing of crafted .proto schemas, leading to a denial of service (DoS) condition by blocking the Node.js event loop. This DoS can disrupt availability of applications that parse untrusted .proto schemas.

While the vulnerability itself does not directly expose sensitive data or impact confidentiality or integrity, the resulting denial of service could affect compliance with standards like GDPR or HIPAA that require maintaining availability and reliability of systems processing personal or protected health information.

Organizations relying on protobuf.js for parsing .proto schemas in environments subject to such regulations should consider the risk of service disruption and apply patches or mitigations to maintain compliance with availability requirements.

Impact Analysis

This vulnerability can cause a denial of service (DoS) in applications that use protobufjs to parse untrusted .proto schema files. Because Node.js is single-threaded, the infinite loop blocks the event loop, preventing the application from processing any other tasks.

As a result, the application becomes unresponsive and must be forcibly terminated to recover. This can disrupt services and impact availability.

Applications that only encode or decode protobuf binary data with trusted schemas are not directly affected.

Detection Guidance

This vulnerability manifests as an infinite loop during parsing of crafted .proto schema option declarations, causing the application to hang or become unresponsive.

Detection can involve monitoring for processes using protobufjs versions between 7.5.0 and 7.6.4 or 8.0.0 to 8.6.5 that parse untrusted .proto schemas, especially if the application becomes unresponsive or CPU usage spikes.

Since the issue occurs during parsing, you can check the protobufjs version installed in your environment using commands like:

  • npm list protobufjs
  • or check package.json dependencies for protobufjs version.

To detect if the vulnerability is being triggered, monitor application logs or runtime behavior for hangs or infinite loops during calls to protobufjs APIs such as parse, Root.load, or Root.loadSync.

No specific network commands are provided in the resources, but isolating parsing in a separate process and monitoring for timeouts can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade protobufjs to a patched version: 7.6.5 or 8.6.6, which include fixes for the infinite loop during options parsing.

If upgrading immediately is not possible, avoid parsing .proto schemas from untrusted sources using affected protobufjs versions.

Another workaround is to isolate the parsing operation in a separate process or worker thread with a timeout mechanism to prevent the entire application from hanging due to the infinite loop.

Ensure that your application only parses trusted .proto schemas or validates schemas before parsing to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart