js · protobufjsHeads-up

protobufjs 8.2.0–8.6.1: Unknown fields cause memory pressure

protobufjs versions 8.2.0 through 8.6.1 preserve unknown fields during binary decode, leading to memory pressure from crafted payloads. Version 8.5.0 added deco

16 Jun 2026Read 1 minSeverity: schedule it

What changed

protobufjs versions 8.2.0 through 8.6.1 preserve unknown fields during binary decode, leading to memory pressure from crafted payloads. Version 8.5.0 added decode-time options to discard unknown fields; version 8.6.2 flips the default to discard unknown fields unless explicitly opted in.

Who it affects

Applications decoding untrusted protobuf binary data using affected protobufjs versions that do not need unknown-field round-tripping.

What to do today

Upgrade to protobufjs 8.6.2 or later, or if using 8.5.0+, set `reader.discardUnknown = true` to disable unknown-field retention.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · protobufjs

protobufjs 8.2.0–8.6.1: Unknown fields cause memory pressure

What changed

Who it affects

What to do today

More on protobufjs

@angular/core and @angular/compiler Security Advisory: Namespace Sanitization Bypass

@angular/compiler fails to sanitize two-way property bindings on sensitive DOM properties