CVE-2026-59877

Source
https://cve.org/CVERecord?id=CVE-2026-59877
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59877.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59877
Aliases
  • GHSA-j3f2-48v5-ccww
Published
2026-07-08T15:28:07.696Z
Modified
2026-07-15T01:49:19.788505514Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
protobufjs: Denial of Service via infinite loop in .proto option parsing
Details

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.

Database specific
{
    "cwe_ids": [
        "CWE-835"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59877.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/protobufjs/protobuf.js

Affected ranges

Type
GIT
Repo
https://github.com/protobufjs/protobuf.js
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "7.5.0"
        },
        {
            "fixed": "7.6.5"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.6.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

aspromise-v1.*
aspromise-v1.1.2
base64-v1.*
base64-v1.1.2
codegen-v2.*
codegen-v2.0.5
eventemitter-v1.*
eventemitter-v1.1.1
fetch-v1.*
fetch-v1.1.1
float-v1.*
float-v1.0.2
inquire-v1.*
inquire-v1.1.2
path-v1.*
path-v1.1.2
pool-v1.*
pool-v1.1.0
protobufjs-cli-v1.*
protobufjs-cli-v1.2.0
protobufjs-cli-v1.2.1
protobufjs-cli-v1.2.2
protobufjs-cli-v1.3.0
protobufjs-cli-v1.3.1
protobufjs-cli-v1.3.2
protobufjs-cli-v1.3.3
protobufjs-cli-v2.*
protobufjs-cli-v2.0.0
protobufjs-cli-v2.0.1
protobufjs-cli-v2.0.2
protobufjs-cli-v2.0.3
protobufjs-cli-v2.2.0
protobufjs-cli-v2.2.1
protobufjs-cli-v2.3.0
protobufjs-cli-v2.4.0
protobufjs-cli-v2.4.1
protobufjs-cli-v2.4.2
protobufjs-cli-v2.5.0
protobufjs-cli-v2.5.1
protobufjs-cli-v2.5.2
protobufjs-cli-v2.5.3
protobufjs-cli-v2.5.4
protobufjs-cli-v2.5.5
protobufjs-cli-v2.5.6
protobufjs-v7.*
protobufjs-v7.5.0
protobufjs-v7.5.1
protobufjs-v7.5.2
protobufjs-v7.5.3
protobufjs-v7.5.4
protobufjs-v7.5.5
protobufjs-v7.5.6
protobufjs-v7.5.7
protobufjs-v7.5.8
protobufjs-v7.5.9
protobufjs-v7.6.0
protobufjs-v7.6.1
protobufjs-v7.6.2
protobufjs-v7.6.3
protobufjs-v7.6.4
protobufjs-v8.*
protobufjs-v8.0.0
protobufjs-v8.0.1
protobufjs-v8.0.2
protobufjs-v8.0.3
protobufjs-v8.2.0
protobufjs-v8.2.1
protobufjs-v8.3.0
protobufjs-v8.4.0
protobufjs-v8.4.1
protobufjs-v8.4.2
protobufjs-v8.5.0
protobufjs-v8.6.0
protobufjs-v8.6.1
protobufjs-v8.6.2
protobufjs-v8.6.3
protobufjs-v8.6.4
protobufjs-v8.6.5
utf8-v1.*
utf8-v1.1.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59877.json"