CVE-2026-44289: protobufjs Flaw Allows Stack-Overflow via Unbounded Recursion in Nested Data Decoding

A high-severity vulnerability has been identified in protobufjs, a widely-used JavaScript library for compiling Protocol Buffer definitions into executable functions. The flaw, tracked as CVE-2026-44289 with a CVSS score of 7.5 (High), stems from a critical weakness in how the library handles nested protobuf data during the decoding process. Versions prior to 7.5.6 and 8.0.2 are affected, exposing a broad range of applications that depend on protobufjs for data serialization and deserialization.

The core issue lies in protobufjs's inability to enforce a recursion depth limit while decoding nested protobuf structures. Specifically, the vulnerability manifests during the skipping of unknown group fields and within generated code paths. When confronted with deeply or infinitely nested protobuf messages, the library can be induced into recursive calls without any safeguards, leading to uncontrolled stack consumption. An attacker capable of supplying crafted protobuf payloads to a vulnerable application could trigger this condition, potentially causing a denial-of-service state through stack exhaustion.

The vulnerability has been addressed in protobufjs versions 7.5.6 and 8.0.2, which introduce proper depth-limiting mechanisms to prevent unbounded recursion. Organizations utilizing protobufjs in production environments are urged to verify their installed versions and apply the available patches without delay. Given the library's prevalence in microservices, API backends, and real-time communication systems, the attack surface for this flaw is considerable. Security teams should audit dependencies for protobufjs usage and implement temporary mitigations—such as input validation limits on nesting depth—until patches can be deployed across affected infrastructure.