CVE-2018-3738
Description
protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafted .proto files cause ReDoS in protobufjs versions before 6.8.6 or 5.0.3 when parsing with a vulnerable regex.
Vulnerability
The vulnerability is a Regular Expression Denial of Service (ReDoS) in the protobufjs library, specifically within the parsing logic for .proto files. The issue resides in the parse.js file, where a crafted invalid .proto file can cause the regular expression to exhibit catastrophic backtracking [2]. Affected versions are those prior to 6.8.6 for the 6.x line and prior to 5.0.3 for the 5.x line [1][3].
Exploitation
An attacker can exploit this by providing a specially crafted invalid .proto file to the parser. No special network position or authentication is required if the parser processes untrusted input (e.g., via a web application that allows users to upload .proto files or a service that parses user-supplied protobuf definitions). The attacker's crafted input triggers the ReDoS, causing the parser to consume excessive CPU time.
Impact
Successful exploitation leads to a denial of service (DoS) condition, as the excessive CPU consumption can block the parsing thread, making the application unresponsive and potentially causing a crash or exhaustion of server resources. The confidentiality and integrity of data are not directly compromised [1][3].
Mitigation
The vulnerability has been patched in protobufjs versions 5.0.3 and 6.8.6 [3]. Users should upgrade to at least these versions. If immediate upgrade is not possible, avoid parsing untrusted .proto files with the affected library versions. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufjsnpm | >= 6.0.0, < 6.8.6 | 6.8.6 |
protobufjsnpm | < 5.0.3 | 5.0.3 |
Affected products
2- HackerOne/protobufjs node modulev5Range: Versions up to and including 6.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-762f-c2wg-m8c8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3738ghsaADVISORY
- github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.jsghsaWEB
- hackerone.com/reports/319576ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/605ghsaWEB
News mentions
0No linked articles in our index yet.