protobufjs: Memory amplification from preserved unknown fields in binary decode

Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload...

org.webjars.npm:bazel__typescript (=1.7.0), org.webjars.npm:cesium (>=1.96.0 <=1.137.0) +13 more potentially affected by CVE-2026-45740 via org.webjars.npm:protobufjs (>=6.11.3 <=8.0.0)

org.webjars.npm:protobufjs MAVEN version =6.11.3, =1.96.0, =1.0.0, =1.0.0, =10.13.0, =4.7.0, =0.3.35, =1.6.1, =0.5.2, =0.7.15 - org.webjars.npm:tiktok-live-connector =1.0.2 Source cves: CVE-2026-45740 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16657756...

@0xchain/telemetry (>=1.1.0-beta.8 <=1.1.0-beta.18), @20206205tech/nestjs-common (>=0.8.0 <=0.11.3) +964 more potentially affected by CVE-2026-45740 via protobufjs (>=8.0.0 <=8.0.3)

protobufjs NPM version =8.0.0, =1.1.0-beta.8, =0.8.0, =1.0.0, =1.1.4, =0.3.1, =0.3.1, =0.7.1, =0.7.0, =0.8.0 and more Source cves: CVE-2026-45740 Source advisory: SNYK:JS-PROTOBUFJS-16657755...

10minions-engine (>=0.0.1 <=0.0.4), @0xr404/lol404 (>=1.1.0 <=1.1.6) +3362 more potentially affected by CVE-2026-44295 via protobufjs (>=7.0.0 <=7.5.5)

protobufjs NPM version =7.0.0, =0.0.1, =1.1.0, =1.0.1-beta.0, =0.0.2-beta.0, =1.0.0, =1.5.10, =0.10.1, =1.1.0, =6.0.0, =2.0.2, =3.3.2 and more Source cves: CVE-2026-44295 Source advisory: SNYK:JS-PROTOBUFJS-16643442...

@0xchain/telemetry (>=1.1.0-beta.8 <=1.1.0-beta.18), @20206205tech/nestjs-common (>=0.8.0 <=0.11.3) +961 more potentially affected by CVE-2026-44293 via protobufjs (>=8.0.0 <=8.0.1)

protobufjs NPM version =8.0.0, =1.1.0-beta.8, =0.8.0, =1.0.0, =1.1.4, =0.3.1, =0.3.1, =0.7.1, =0.7.0, =0.8.0 and more Source cves: CVE-2026-44293 Source advisory: OSV:GHSA-66FF-XGX4-VCHM...

10minions-engine (>=0.0.1 <=0.0.4), @0xr404/lol404 (>=1.1.0 <=1.1.6) +3362 more potentially affected by CVE-2026-44292 via protobufjs (>=7.0.0 <=7.5.5)

protobufjs NPM version =7.0.0, =0.0.1, =1.1.0, =1.0.1-beta.0, =0.0.2-beta.0, =1.0.0, =1.5.10, =0.10.1, =1.1.0, =6.0.0, =2.0.2, =3.3.2 and more Source cves: CVE-2026-44292 Source advisory: SNYK:JS-PROTOBUFJS-16643319...

@0xchain/telemetry (>=1.1.0-beta.8 <=1.1.0-beta.18), @20206205tech/nestjs-common (>=0.8.0 <=0.11.3) +961 more potentially affected by CVE-2026-44290 via protobufjs (>=8.0.0 <=8.0.1)

protobufjs NPM version =8.0.0, =1.1.0-beta.8, =0.8.0, =1.0.0, =1.1.4, =0.3.1, =0.3.1, =0.7.1, =0.7.0, =0.8.0 and more Source cves: CVE-2026-44290 Source advisory: OSV:GHSA-JVWF-75H9-CWGG...

-temp-electron-manager-somiibo (=0.0.200), 0xpass (>=0.0.2 <=0.0.8) +22910 more potentially affected by CVE-2026-41242 via protobufjs (>=2.0.4 <=7.5.4)

protobufjs NPM version =2.0.4, =0.0.2, =0.0.1, =1.0.0, =1.0.1, =1.0.1, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =1.0.0-alpha.3, =1.0.0, =0.0.1, =0.0.1, =0.1.5 and more Source cves: CVE-2026-41242 Source advisory: OSV:GHSA-XQ3M-2V4X-88GG...

@00ssh/erdnest (>=0.2.19 <=0.2.23), @0cfg/rpc-common (>=0.0.1 <=0.1.3) +2630 more potentially affected by CVE-2023-36665 via protobufjs (>=6.10.0 <=6.11.3)

protobufjs NPM version =6.10.0, =0.2.19, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.11, =0.0.8-alpha.0, =0.1.0, =0.0.2, =0.0.1, =0.0.5, =1.9.4, =1.9.15 and more Source cves: CVE-2023-36665 Source advisory: OSV:GHSA-H755-8QP9-CQ85...