Bug 2491451 (CVE-2026-48712)

Summary: CVE-2026-48712 protobufjs: protobufjs: Denial of Service via uncontrolled recursion with crafted protobuf payload
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abuckta, alizardo, amctagga, aoconnor, bbrownin, bniver, cdrage, cmah, dkuc, dschmidt, eaguilar, ebaron, erezende, flucifre, gmeno, groman, jchui, jhe, jkoehler, jlanda, jolong, jwong, kaycoth, kshier, ktsao, lchilton, lphiri, manissin, mbenjamin, mhackett, mstipich, nboldt, oaljalju, omaciel, orabin, pjindal, psrna, rexwhite, rhel-process-autobot, rushinde, sfeifer, simaishi, sostapov, stcannon, sthirugn, teagle, ttakamiy, vereddy, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in protobufjs. A remote attacker could exploit this by sending a crafted protobuf binary payload containing deeply nested 'Any' values. This uncontrolled recursion could exhaust the JavaScript call stack during conversion to JSON, leading to a Denial of Service (DoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:02:11 UTC
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.