{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-22T18:47:27.755Z", "datePublished": "2026-06-22T16:21:21.506Z", "dateUpdated": "2026-06-23T15:54:24.472Z"}, "containers": {"cna": {"title": "protobufjs: Denial of service through unbounded Any expansion during JSON conversion", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.6.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T16:21:21.506Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1."}], "source": {"advisory": "GHSA-wcpc-wj8m-hjx6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T13:50:28.096514Z", "id": "CVE-2026-48712", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T15:54:24.472Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-22T18:47:27.755Z", "datePublished": "2026-06-22T16:21:21.506Z", "dateUpdated": "2026-06-23T15:54:24.472Z"}, "containers": {"cna": {"title": "protobufjs: Denial of service through unbounded Any expansion during JSON conversion", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.6.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T16:21:21.506Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1."}], "source": {"advisory": "GHSA-wcpc-wj8m-hjx6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T13:50:28.096514Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T13:50:33.739Z"}}]}}

{}

{"bugzilla": {"description": "protobufjs: protobufjs: Denial of Service via uncontrolled recursion with crafted protobuf payload", "id": "2491451", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491451"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.", "A flaw was found in protobufjs. A remote attacker could exploit this by sending a crafted protobuf binary payload containing deeply nested 'Any' values. This uncontrolled recursion could exhaust the JavaScript call stack during conversion to JSON, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "No specific mitigation required for unaffected runtime paths."}, "name": "CVE-2026-48712", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "grafana-infinity-datasource-npm", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-pf5-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-ossmc-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-27/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Not affected", "package_name": "rh-podman-desktop.git", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Not affected", "package_name": "rhceph/alloy-rhel10", "product_name": "Red Hat Ceph Storage 9"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "impact": "low", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "impact": "low", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "impact": "low", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "impact": "low", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "dotnet9.0", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/bootc-automation-portal-rhel9", "product_name": "Self-service automation portal 2"}], "public_date": "2026-06-22T16:21:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-48712\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-48712\nhttps://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6"], "statement": "Red Hat rates this issue as having Low impact for Red Hat Enterprise Linux AI bootc images. Although protobufjs is present as a transitive dependency, the vulnerable parsing path is not exercised in normal product operation.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.6.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.4.1)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "protobuf.js", "source": "cna", "vendor": "protobufjs"}, "product": "protobuf", "vendor": "protobuf"}], "created": "2026-06-22T18:30:15.399288+00:00", "updated": "2026-06-29T14:00:05.029005+00:00", "vendors": ["protobuf", "protobuf$PRODUCT$protobuf"]}