protobufjs: Memory amplification from preserved unknown fields in binary decode
Description
Summary
protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them.
A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into.
Impact
An attacker who can provide protobuf binary data decoded by an application using affected protobufjs versions may be able to increase memory pressure by sending messages with many unknown fields. This can degrade availability or contribute to process termination in services that decode and retain attacker-controlled messages.
This issue affects applications that decode untrusted protobuf binary input and do not need unknown-field round-tripping. Applications that only decode trusted protobuf data, already enforce input-size/concurrency limits, or do not retain decoded messages beyond immediate processing are less directly affected.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The decoded schema must not define the attacker-selected field numbers, causing those fields to be treated as unknown.
- The application must use a protobufjs version that preserves unknown fields but does not provide a decode-time discard option.
- The decoded message, or enough decoded messages concurrently, must remain live long enough for retained unknown-field data to affect memory usage.
Workarounds
Upgrade to protobufjs 8.5.0 or newer and disable unknown-field preservation if not needed: Create a Reader, set reader.discardUnknown = true, and decode from that reader, or make this the default for subsequently created readers by setting Reader.discardUnknown = true. When upgrading to protobufjs 8.6.2 or newer, unknown fields are discarded by default unless opted into by setting discardUnknown = false.
Applications should also continue to enforce input-size, request concurrency, and request timeout limits at their transport or application boundary.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >= 8.2.0, <= 8.4.2
Patches
Vulnerability mechanics
Root cause
"Missing decode-time option to discard unknown fields causes every unknown wire element to be unconditionally retained in memory as raw byte slices."
Attack vector
An attacker sends a crafted protobuf binary payload that contains many field numbers not defined in the application's schema. Because affected protobufjs versions (8.2.0 through 8.4.x) unconditionally preserve every unknown field in `message.$unknowns`, each unknown wire element is retained as a raw byte slice in memory. By packing a small payload with a large number of unknown fields, the attacker can cause the decoded message to consume substantially more memory than the input size, potentially leading to memory exhaustion or process termination in services that decode and hold attacker-controlled messages.
Affected code
The vulnerability resides in the generated decoder code within `tests/data/test.js`. In every branch that handles an unknown wire field (after `reader.skipType(...)`), the code unconditionally pushes the raw bytes onto `message.$unknowns` via `(message.$unknowns || (message.$unknowns = [])).push(reader.raw(start, reader.pos))`. The patch [patch_id=6089167] wraps each such push inside `if (!reader.discardUnknown) { ... }`, giving applications a way to opt out of retaining unknown fields.
What the fix does
The patch [patch_id=6089167] introduces a `reader.discardUnknown` boolean flag. In every location where the generated decoder previously unconditionally pushed raw bytes onto `message.$unknowns`, the push is now guarded by `if (!reader.discardUnknown)`. This allows applications to set `reader.discardUnknown = true` before decoding, causing unknown fields to be skipped entirely instead of accumulated. Later versions (8.6.2) flip the default to `true`, so unknown fields are discarded unless explicitly opted into.
Preconditions
- inputThe application must decode protobuf binary data influenced by an attacker.
- configThe decoded schema must not define the attacker-selected field numbers, causing those fields to be treated as unknown.
- configThe application must use a protobufjs version that preserves unknown fields but does not provide a decode-time discard option (8.2.0 through 8.4.x).
- authThe decoded message, or enough decoded messages concurrently, must remain live long enough for retained unknown-field data to affect memory usage.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.