chore(deps): update dependency protobufjs to v8.6.0 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs	8.0.3 → 8.6.0

---

protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

CVE-2026-45740 / GHSA-jggg-4jg4-v7c6

More information

Details

Summary

protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON().

A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading.

Impact

An attacker who can provide JSON descriptors loaded by an application may be able to crash the process or otherwise cause schema loading to fail with a stack overflow.

This affects applications that load JSON descriptors from untrusted sources with affected versions.

Preconditions

• The application must load JSON descriptor data influenced by an attacker.
• The crafted descriptor must contain deeply nested nested namespace objects.
• The affected Root.fromJSON() / Namespace.addJSON() descriptor expansion path must process the crafted input.

Workarounds

Avoid loading untrusted protobuf JSON descriptors with affected versions. If immediate upgrade is not possible, reject excessively nested descriptor structures at an outer validation boundary where feasible, or isolate descriptor loading in a process that can be safely restarted.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6
• https://nvd.nist.gov/vuln/detail/CVE-2026-45740
• https://github.com/advisories/GHSA-jggg-4jg4-v7c6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobufjs: Denial of service through unbounded Any expansion during JSON conversion

CVE-2026-48712 / GHSA-wcpc-wj8m-hjx6

More information

Details

Summary

protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.

A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.

Impact

An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.

This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).

Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.

Preconditions

• The application must decode protobuf binary data influenced by an attacker.
• The application schema must include google.protobuf.Any, and the referenced type_url must resolve to a message type in the loaded protobuf root.
• The application must convert the decoded message to JSON or a plain object through an affected conversion path.
• The crafted input must contain deeply nested Any values that are expanded during conversion.

Workarounds

Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6
• https://github.com/advisories/GHSA-wcpc-wj8m-hjx6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

protobufjs : Schema-derived names can shadow runtime-significant properties

CVE-2026-54269 / GHSA-f38q-mgvj-vph7

More information

Details

Summary

protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall.

When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation.

Impact

An attacker who can provide or influence protobuf schemas or protobufjs JSON descriptors may be able to make affected message or service types unusable, resulting in denial of service for the affected processing path.

Applications using only trusted schemas are affected only if those schemas contain one of the problematic names and the application reaches the affected API path.

The issue is not known to allow code execution by itself.

Preconditions

• The application must use an affected protobufjs version.
• The application must load or use a schema or protobufjs JSON descriptor containing one of the problematic names:
  • a field named hasOwnProperty,
  • a field or oneof named $type through protobufjs JSON/reflection descriptor input,
  • or a service method whose generated helper name is rpcCall.
• The application must reach the affected API path for that name: required-field decode post-checks, verify, or toObject for hasOwnProperty; reflected message JSON serialization for $type; or protobufjs RPC service invocation for rpcCall.

Workarounds

Do not load protobuf schemas or protobufjs JSON descriptors from untrusted sources with affected versions. If untrusted schemas or descriptors must be accepted, validate schema-derived field, oneof, and service method names before loading and reject the problematic names described above.

Applications using trusted schemas can avoid the issue by renaming affected fields or service methods, or by avoiding the affected API path.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7
• https://github.com/advisories/GHSA-f38q-mgvj-vph7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v8.6.0

Compare Source

Features

• Add spec-compliant protojson extension (#​2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#​2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#​2304) (29f7c96)
• Remove postinstall script (#​2299) (b8ed7be)
• Support null-prototype plain objects in converters (#​2300) (bf20d84)

v8.5.0

Compare Source

Features

• Add option to discard unknown fields (#​2289) (f8c489b)
• Expose RPC metadata on service methods (#​2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#​2293) (9e80030)
• Consistently reject null message argument in fromObject (#​2287) (0f6178d)
• Prefer nested type resolution over global fallback (#​2288) (4b4c703)

v8.4.2

Compare Source

Bug Fixes

• Align reserved range semantics (#​2277) (48aa10f)
• Coerce int32 values before writer sizing (#​2281) (53c2e54)

v8.4.1

Compare Source

Bug Fixes

• Correct util helper typing (#​2279) (664a3d1)
• Decode omitted long map values as Long (#​2264) (a71254b)
• Expose Field rule declaration (#​2261) (1664cbf)
• Improve message return typings (#​2274) (0f54489)
• Misc utility hardening (#​2272) (3de631b)
• Omit proto3 synthetic oneofs in toObject (#​2273) (9a78a4a)
• Preserve writer state in static encodeDelimited (#​2275) (d28ec57)
• Register empty common in light build (#​2262) (6cc4bc2)
• Treat fixed64 as unsigned in converters (#​2265) (d8a6983)

v8.4.0

Compare Source

Features

• Support BigInt conversions (#​2257) (36873e6)

v8.3.0

Compare Source

Features

• Improve generated typings (#​2244) (faa424e)

v8.2.1

Compare Source

Bug Fixes

• Consolidate depth limit checks (#​2246) (9050289)
• Preserve explicit enum zero if not the default (#​2249) (9621b35)

Performance Improvements

• Slightly optimize generated code (#​2242) (c41160c)

v8.2.0

Compare Source

Features

• Add finishInto() for zero-copy serialization into existing buffers (#​2196) (657d6f1)
• Add textformat extension (#​2233) (4639e29)
• cli: Add optional protoc-gen-pbjs plugin (#​2231) (c9b6a2d)
• cli: Align json-module with static-module output (#​2227) (a015091)
• Roundtrip unknown fields (#​2209) (76fa03c)

Bug Fixes

• Accept URL-safe base64 input (#​2207) (57a3821)
• Also resolve common definitions by file name (#​2218) (e533950)
• Apply oneof last-value wins during decode (#​2193) (cf35cdc)
• Consistently handle scalar map keys (#​2186) (29b1183)
• Consistently reject truncated strings (#​2205) (689e911)
• Correct parsedOptions TypeScript types (#​2217) (dbe8d77)
• Decode bool values from full varints (#​2192) (7b8d5c1)
• Decode fields by full wire tag (#​2197) (f6264b1)
• Decode missing map message values as empty messages (#​2206) (51c1a4f)
• Generate TypeScript class properties for extensions (#​2187) (ec04bee)
• Harden parser input handling (#​2240) (53a27fc)
• Improve Deno and Bun compatibility (#​2228) (6034af8)
• Improve descriptor extension interoperability (#​2232) (effbbc4)
• Make optional Node module lookups bundler-safe (#​2237) (366030b)
• Merge singular message fields while decoding (#​2195) (14d9df7)
• Omit proto3 implicit scalar defaults (#​2208) (ea1b003)
• Read non-minimal 32-bit varints correctly (#​2198) (5650a07)
• Reject malformed field tag varints (#​2224) (1904533)
• Restore first-match namespace lookup (#​2235) (4fb8900)
• Support proto2 extension groups (#​2181) (1039194)
• Tighten key2Re regex with non-capturing group (#​2225) (c87b149)
• Validate field and group tags while decoding (#​2200) (c09d4f7)

Performance Improvements

• Avoid constructor setup during resolve (#​2211) (1bf3c07)
• Preallocate arrays in converters (#​2219) (62d2155)
• Reduce generated code overhead (#​2212) (45ec503)
• Tweak reader varint32 and string cases (#​2220) (4076ea8)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.