Recursion Stack Overflow in protobufjs Decoding before 7.5.6/8.0.2
CVE-2026-44289 Published on May 13, 2026
protobufjs: Denial of service through unbounded protobuf recursion
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Vulnerability Analysis
CVE-2026-44289 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2026-44289 has been classified to as a Stack Exhaustion vulnerability or weakness.
Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Products Associated with CVE-2026-44289
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
protobufjs protobuf.js:- Version < 7.5.6 is affected.
- Version >= 8.0.0, < 8.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.