CVE-2026-54270: CWE-770: Allocation of Resources Without Limits or Throttling in protobufjs protobuf.js
protobuf.js versions from 8.2.0 to 8.4.2 retained unknown protobuf fields in memory without an option to discard them during decoding. This behavior could lead to excessive memory use when processing crafted payloads with many unknown fields. Version 8.5.0 introduced options to disable unknown-field retention, and 8.6.2 changed the default to discard unknown fields unless explicitly enabled.
AI Analysis
Technical Summary
The protobuf.js library versions 8.2.0 through 8.4.2 preserved unknown wire elements in the message.$unknowns property without providing a decode-time option to discard these unknown fields. This could cause a decoded message to consume significantly more memory than the input payload size, constituting an allocation of resources without limits or throttling (CWE-770). Starting in version 8.5.0, decode-time options were added to allow disabling unknown-field retention, and in 8.6.2 the default behavior was changed to discard unknown fields unless explicitly opted into, mitigating this issue.
Potential Impact
An attacker can craft protobuf payloads containing many unknown fields that cause the protobuf.js decoder to retain large amounts of memory, potentially leading to denial of service due to excessive memory consumption. There is no impact on confidentiality or integrity, only availability due to resource exhaustion.
Mitigation Recommendations
Upgrade protobuf.js to version 8.5.0 or later to gain decode-time options to disable unknown-field retention. For best protection, use version 8.6.2 or later, where unknown fields are discarded by default unless explicitly enabled. Patch status is not explicitly confirmed by the vendor advisory, but these version changes indicate remediation. Check the protobuf.js project releases for official patch details.
CVE-2026-54270: CWE-770: Allocation of Resources Without Limits or Throttling in protobufjs protobuf.js
Description
protobuf.js versions from 8.2.0 to 8.4.2 retained unknown protobuf fields in memory without an option to discard them during decoding. This behavior could lead to excessive memory use when processing crafted payloads with many unknown fields. Version 8.5.0 introduced options to disable unknown-field retention, and 8.6.2 changed the default to discard unknown fields unless explicitly enabled.
CVSS v3.1
Score 5.3medium
Affected software
pkg:npm/protobufjs/protobuf.jsRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The protobuf.js library versions 8.2.0 through 8.4.2 preserved unknown wire elements in the message.$unknowns property without providing a decode-time option to discard these unknown fields. This could cause a decoded message to consume significantly more memory than the input payload size, constituting an allocation of resources without limits or throttling (CWE-770). Starting in version 8.5.0, decode-time options were added to allow disabling unknown-field retention, and in 8.6.2 the default behavior was changed to discard unknown fields unless explicitly opted into, mitigating this issue.
Potential Impact
An attacker can craft protobuf payloads containing many unknown fields that cause the protobuf.js decoder to retain large amounts of memory, potentially leading to denial of service due to excessive memory consumption. There is no impact on confidentiality or integrity, only availability due to resource exhaustion.
Mitigation Recommendations
Upgrade protobuf.js to version 8.5.0 or later to gain decode-time options to disable unknown-field retention. For best protection, use version 8.6.2 or later, where unknown fields are discarded by default unless explicitly enabled. Patch status is not explicitly confirmed by the vendor advisory, but these version changes indicate remediation. Check the protobuf.js project releases for official patch details.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T17:13:32.279Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39735beed863c81e39624c
Added to database: 06/22/2026, 17:39:39 UTC
Last enriched: 06/22/2026, 17:55:55 UTC
Last updated: 06/22/2026, 20:22:12 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.