Protobuf.js
by Protobufjs
Source repositories
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54271 | hig | 0.38 | — | — | Jun 15, 2026 | ## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common… | ||
| CVE-2026-48712 | hig | 0.38 | — | — | Jun 15, 2026 | ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply… | ||
| CVE-2026-54270 | 0.00 | — | — | Jun 15, 2026 | ## Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in `message.$unknowns` and did not provide a decode-time option to discard unknown fields before retaining them. A… | |||
| CVE-2026-54269 | 0.00 | — | — | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection… |
- risk 0.38cvss —epss —
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common…
- risk 0.38cvss —epss —
## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply…
- CVE-2026-54270Jun 15, 2026risk 0.00cvss —epss —
## Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in `message.$unknowns` and did not provide a decode-time option to discard unknown fields before retaining them. A…
- CVE-2026-54269Jun 15, 2026risk 0.00cvss —epss —
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection…