Summary
protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.
A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The application schema must include
google.protobuf.Any, and the referencedtype_urlmust resolve to a message type in the loaded protobuf root. - The application must convert the decoded message to JSON or a plain object through an affected conversion path.
- The crafted input must contain deeply nested
Anyvalues that are expanded during conversion.
Workarounds
Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.
Impact
An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.
This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).
Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.
CVE-2026-48712 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.6.1, 8.4.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
protobufjs to 7.6.1 or later; protobufjs to 8.4.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-48712? CVE-2026-48712 is a high-severity security vulnerability in protobufjs (npm), affecting versions <= 7.6.0. It is fixed in 7.6.1, 8.4.1.
- How severe is CVE-2026-48712? CVE-2026-48712 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of protobufjs are affected by CVE-2026-48712? protobufjs (npm) versions <= 7.6.0 is affected.
- Is there a fix for CVE-2026-48712? Yes. CVE-2026-48712 is fixed in 7.6.1, 8.4.1. Upgrade to this version or later.
- Is CVE-2026-48712 exploitable, and should I be worried? Whether CVE-2026-48712 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-48712 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-48712?
- Upgrade
protobufjsto 7.6.1 or later - Upgrade
protobufjsto 8.4.1 or later
- Upgrade