{"id":"CVE-2026-59877","summary":"protobufjs: Denial of Service via infinite loop in .proto option parsing","details":"protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.","aliases":["GHSA-j3f2-48v5-ccww"],"modified":"2026-07-15T01:49:19.788505514Z","published":"2026-07-08T15:28:07.696Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-835"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59877.json"},"references":[{"type":"WEB","url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5"},{"type":"WEB","url":"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59877.json"},{"type":"ADVISORY","url":"https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59877"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f"},{"type":"FIX","url":"https://github.com/protobufjs/protobuf.js/pull/2352"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protobufjs/protobuf.js","events":[{"introduced":"1dbcfe322899aca50fb82916db7802f647f23f0e"},{"fixed":"89048ba0bbf3ed78f77199102f0614dafc2b4860"},{"introduced":"933e8750dcd000c16a621a7344a4beaa034c4019"},{"fixed":"55e4c8f8eadfc21c848f6a1eedd1b383a3720099"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"7.5.0"},{"fixed":"7.6.5"},{"introduced":"8.0.0"},{"fixed":"8.6.6"}]}}],"versions":["protobufjs-v7.6.4","protobufjs-v8.6.5","protobufjs-cli-v2.5.6","protobufjs-v8.6.4","protobufjs-cli-v2.5.5","protobufjs-v7.6.3","protobufjs-cli-v1.3.3","protobufjs-v8.6.3","protobufjs-cli-v2.5.4","protobufjs-v8.6.2","protobufjs-cli-v2.5.3","protobufjs-v7.6.2","protobufjs-cli-v1.3.2","protobufjs-v8.6.1","protobufjs-cli-v2.5.2","protobufjs-v8.6.0","protobufjs-cli-v2.5.1","protobufjs-v8.5.0","protobufjs-cli-v2.5.0","utf8-v1.1.1","protobufjs-v7.6.1","protobufjs-cli-v1.3.1","pool-v1.1.0","path-v1.1.2","float-v1.0.2","eventemitter-v1.1.1","codegen-v2.0.5","base64-v1.1.2","aspromise-v1.1.2","protobufjs-v8.4.2","protobufjs-cli-v2.4.2","protobufjs-v8.4.1","protobufjs-cli-v2.4.1","protobufjs-v7.6.0","protobufjs-cli-v1.3.0","protobufjs-v8.4.0","protobufjs-cli-v2.4.0","protobufjs-v7.5.9","inquire-v1.1.2","fetch-v1.1.1","protobufjs-v7.5.8","protobufjs-v8.3.0","protobufjs-cli-v2.3.0","protobufjs-v8.2.1","protobufjs-cli-v2.2.1","protobufjs-v7.5.7","protobufjs-v8.2.0","protobufjs-cli-v2.2.0","protobufjs-cli-v1.2.2","protobufjs-cli-v2.0.3","protobufjs-v7.5.6","protobufjs-cli-v1.2.1","protobufjs-v8.0.3","protobufjs-v8.0.2","protobufjs-cli-v2.0.2","protobufjs-v7.5.5","protobufjs-v8.0.1","protobufjs-cli-v2.0.1","protobufjs-v7.5.4","protobufjs-v8.0.0","protobufjs-cli-v2.0.0","protobufjs-v7.5.3","protobufjs-v7.5.2","protobufjs-v7.5.1","protobufjs-v7.5.0","protobufjs-cli-v1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59877.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}