protobufjs: Unbounded Recursion in toObject() and Any JSON Conversion
protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON, affecting generated toObject() conversion and custom google.
What changed
protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON, affecting generated toObject() conversion and custom google.protobuf.Any JSON conversion path.
Who it affects
Applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled.
What to do today
Upgrade protobufjs to a patched version. If immediate upgrade is not possible, avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON, or isolate message conversion in a process that can be safely restarted.