Bug 2491473 (CVE-2026-54269)

Summary: CVE-2026-54269 protobufjs: protobufjs-cli: protobufjs: Denial of Service due to name collision with runtime helpers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abarbaro, abuckta, alizardo, amctagga, aoconnor, bbrownin, bniver, cdrage, cmah, dkuc, dschmidt, eaguilar, ebaron, erezende, flucifre, gmeno, groman, jchui, jhe, jkoehler, jlanda, jolong, jwong, kaycoth, kshier, ktsao, lchilton, lphiri, manissin, mbenjamin, mhackett, mstipich, nboldt, oaljalju, omaciel, orabin, pjindal, psrna, rexwhite, rhel-process-autobot, rushinde, sfeifer, simaishi, sostapov, stcannon, sthirugn, teagle, ttakamiy, vereddy, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in protobufjs, a JavaScript (JS) library for compiling protobuf definitions. A remote attacker could exploit this vulnerability by providing specially crafted protobuf definitions or message types that contain names colliding with internal protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls during various operations, ultimately causing a Denial of Service (DoS) in applications using the library.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:03:28 UTC
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.