{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "7.5.0"
              },
              {
                "fixed": "7.6.5"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.6.6"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "1dbcfe322899aca50fb82916db7802f647f23f0e"
            },
            {
              "fixed": "89048ba0bbf3ed78f77199102f0614dafc2b4860"
            },
            {
              "introduced": "933e8750dcd000c16a621a7344a4beaa034c4019"
            },
            {
              "fixed": "55e4c8f8eadfc21c848f6a1eedd1b383a3720099"
            }
          ],
          "repo": "https://github.com/protobufjs/protobuf.js",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-j3f2-48v5-ccww"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-835"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59877.json"
  },
  "details": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.",
  "id": "CVE-2026-59877",
  "modified": "2026-07-15T01:49:19.788505514Z",
  "published": "2026-07-08T15:28:07.696Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.6.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.6.6"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59877.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-j3f2-48v5-ccww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59877"
    },
    {
      "type": "FIX",
      "url": "https://github.com/protobufjs/protobuf.js/commit/10fba6d54815ceecca8a06b9a6db490c8f5d2217"
    },
    {
      "type": "FIX",
      "url": "https://github.com/protobufjs/protobuf.js/commit/fa5c73add738ceb471e74da8cc2f3727c3d0a69f"
    },
    {
      "type": "FIX",
      "url": "https://github.com/protobufjs/protobuf.js/pull/2352"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "protobufjs: Denial of Service via infinite loop in .proto option parsing"
}