CVE-2026-59877

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.
Configurations

No configuration.

History

08 Jul 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 16:16

Updated : 2026-07-08 17:17


NVD link : CVE-2026-59877

Mitre link : CVE-2026-59877

CVE.ORG link : CVE-2026-59877


JSON object : View

Products Affected

No product.

CWE
CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')