protobufjs Denial-of-Service Vulnerability via Unbounded Recursive JSON Descriptor Expansion

A denial-of-service vulnerability has been identified in protobufjs versions prior to 7.5.8 and 8.2.0. The issue arises because the library can recurse without a depth limit when expanding nested JSON descriptors through the Root.fromJSON() and Namespace.addJSON() methods. This flaw allows a crafted JSON descriptor with deeply nested namespace definitions to exhaust the JavaScript call stack, leading to a stack overflow. The vulnerability affects applications that load JSON descriptors from untrusted sources and could be exploited by an attacker to crash the application or cause schema loading to fail.

Impact

Exploitation of this vulnerability can lead to a process crash or a stack overflow, causing schema loading to fail. This issue arises in applications that load JSON descriptors from untrusted sources using the affected protobufjs versions.

Remediation

Users can upgrade to protobufjs versions 7.5.8 or 8.2.0 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to avoid loading untrusted protobuf JSON descriptors with affected versions. Alternatively, excessively nested descriptor structures can be rejected at an outer validation boundary where feasible, or descriptor loading can be isolated in a process that can be safely restarted.