CVE-2026-48712: protobufjs: Denial of service through unbounded Any expansion during JSON conversion

June 15, 2026

protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.

A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.

References

github.com/advisories/GHSA-wcpc-wj8m-hjx6
github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6
nvd.nist.gov/vuln/detail/CVE-2026-48712

Code Behaviors & Features

Detect and mitigate CVE-2026-48712 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →