{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44289/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs (\u003c= 7.5.5)","protobufjs (\u003e= 8.0.0, \u003c= 8.0.1)"],"_cs_severities":["high"],"_cs_tags":["denial of service","protobufjs","CVE-2026-44289"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eprotobuf.js versions 7.5.5 and earlier, and 8.0.0 through 8.0.1, are susceptible to a denial-of-service vulnerability (CVE-2026-44289) due to unbounded recursion during the decoding of nested protobuf data. This vulnerability is triggered when the decoder encounters deeply nested structures, either through unknown group fields or nested message fields. An attacker can exploit this by crafting a malicious protobuf binary payload that, when processed by an application using a vulnerable version of protobuf.js, causes the JavaScript call stack to be exhausted. This stack exhaustion leads to a process crash or decoding failure due to a stack overflow. This vulnerability poses a risk to applications that decode untrusted protobuf binary input, potentially disrupting service availability and requiring process restarts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious protobuf binary payload. This payload contains excessively nested protobuf structures.\u003c/li\u003e\n\u003cli\u003eThe application receives the crafted protobuf binary payload as input. This input may originate from a network request, file upload, or other data source.\u003c/li\u003e\n\u003cli\u003eThe application uses a vulnerable version of protobuf.js (\u0026lt;= 7.5.5 or \u0026gt;= 8.0.0 and \u0026lt;= 8.0.1) to decode the protobuf binary data.\u003c/li\u003e\n\u003cli\u003eDuring decoding, the protobuf.js library recursively processes the nested structures within the payload.\u003c/li\u003e\n\u003cli\u003eDue to the excessive nesting, the JavaScript call stack grows without bound. The recursion occurs when either skipping unknown group fields or decoding nested message fields.\u003c/li\u003e\n\u003cli\u003eThe JavaScript call stack reaches its limit, resulting in a stack overflow error.\u003c/li\u003e\n\u003cli\u003eThe application process terminates abruptly due to the unhandled exception.\u003c/li\u003e\n\u003cli\u003eThe application becomes unavailable, leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44289) leads to a denial-of-service condition, where the application processing the crafted protobuf data crashes or becomes unresponsive. The impact depends on the role of the affected application; a crash in a critical service can disrupt operations, while a crash in a less critical component may only cause temporary inconvenience. The number of affected applications depends on the adoption of vulnerable protobuf.js versions and the prevalence of untrusted protobuf data processing. The attack can cause loss of service availability and potential data integrity issues if decoding is interrupted mid-process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade protobuf.js to the latest version to patch CVE-2026-44289.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement input validation to reject excessively nested protobuf messages at the application layer.\u003c/li\u003e\n\u003cli\u003eConsider isolating protobuf decoding within a sandboxed process that can be safely restarted to mitigate the impact of crashes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect protobuf.js Excessive Recursion Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring process resource consumption.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:05:31Z","date_published":"2026-05-12T15:05:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/","summary":"protobuf.js is vulnerable to a denial-of-service (DoS) attack (CVE-2026-44289) due to unbounded recursion while decoding nested protobuf data, potentially leading to stack exhaustion and process crashes when processing crafted protobuf binary payloads.","title":"protobuf.js Denial-of-Service Vulnerability via Unbounded Recursion (CVE-2026-44289)","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44289","version":"https://jsonfeed.org/version/1.1"}