protobufjs Denial-of-Service Vulnerability via Unbounded Recursion in Protobuf Decoding

A denial-of-service vulnerability has been identified in protobufjs versions prior to 7.5.6 and 8.0.2. The issue arises from the library's ability to recursively decode nested protobuf data without a depth limit. This flaw can lead to exhaustion of the JavaScript call stack, causing a stack overflow. The vulnerability affects applications that process untrusted protobuf binary input, particularly those decoding deeply nested structures such as group tags or message fields.

Impact

Exploitation of this vulnerability can cause the application to crash or fail decoding due to a stack overflow, disrupting the normal process.

Remediation

Users are advised to upgrade to protobufjs version 7.5.6 or 8.0.2. If an immediate upgrade is not possible, untrusted protobuf data should not be decoded with affected versions. Alternatively, excessively nested messages can be rejected at an outer protocol boundary where feasible, or protobuf decoding can be isolated in a process that can be safely restarted.