CVE-2026-54270
protobufjs: Memory amplification from preserved unknown fields in binary decode
Description
## Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in `message.$unknowns` and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown fields could therefore cause a decoded message to retain substantially more memory than the input size would suggest, even when unknown-field round-tripping is not needed. protobufjs 8.5.0 added the relevant decode-time options, allowing applications that decode untrusted protobuf data to disable unknown-field retention during decode. protobufjs 8.6.2 flips the default so unknown fields are discarded unless explicitly opted into. ## Impact An attacker who can provide protobuf binary data decoded by an application using affected protobufjs versions may be able to increase memory pressure by sending messages with many unknown fields. This can degrade availability or contribute to process termination in services that decode and retain attacker-controlled messages. This issue affects applications that decode untrusted protobuf binary input and do not need unknown-field round-tripping. Applications that only decode trusted protobuf data, already enforce input-size/concurrency limits, or do not retain decoded messages beyond immediate processing are less directly affected. ## Preconditions * The application must decode protobuf binary data influenced by an attacker. * The decoded schema must not define the attacker-selected field numbers, causing those fields to be treated as unknown. * The application must use a protobufjs version that preserves unknown fields but does not provide a decode-time discard option. * The decoded message, or enough decoded messages concurrently, must remain live long enough for retained unknown-field data to affect memory usage. ## Workarounds Upgrade to protobufjs 8.5.0 or newer and disable unknown-field preservation if not needed: Create a `Reader`, set `reader.discardUnknown = true`, and decode from that reader, or make this the default for subsequently created readers by setting `Reader.discardUnknown = true`. When upgrading to protobufjs 8.6.2 or newer, unknown fields are discarded by default unless opted into by setting `discardUnknown = false`. Applications should also continue to enforce input-size, request concurrency, and request timeout limits at their transport or application boundary.
How to fix CVE-2026-54270
To remediate CVE-2026-54270, upgrade the affected package to a fixed version below.