protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

Summary A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas fro...

NPM: protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

NPM: protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.7...

protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

Summary protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON and Namespace.addJSON. A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. Impact An...

CVE-2026-45740

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON and Namespace.addJSON. A crafted JSON descriptor with deeply nested namespace definitions...

CVE-2026-45740

Protobufjs vulnerability CVE-2026-45740 arises from unbounded recursion when expanding deeply nested JSON descriptors (Root.fromJSON(), Namespace.addJSON()). Before versions 7.5.8 and 8.2.0, crafted JSON descriptors could exhaust the JavaScript call stack, causing a Denial of Service. The issue a...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution via schema option path handling. An attacker can perform prototype pollution by supplying a crafted protobuf schema or JSON descriptor whose option paths traverse inherited properties, allowing writes to global...