5.3
CVE-2026-54270
- EPSS 0.29%
- Veröffentlicht 22.06.2026 16:19:20
- Zuletzt bearbeitet 24.06.2026 20:39:18
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginprotobufjs: Memory amplification from preserved unknown fields in binary decode
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Protobufjs Project ≫ Protobufjs SwPlatformnode.js Version >= 8.2.0 < 8.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.208 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-94rc-8x27-4472