Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: b3db028
Author: Hugo Häggmark
Date: 2026-06-16T09:32:43Z
Commit Message
[main] chore(deps): Upgrade protobufjs to 7.6.4 (#126531)
chore(deps): Upgrade protobufjs to 7.6.4
Pull Request
PR: #126531 - [main] chore(deps): Upgrade protobufjs to 7.6.4
Labels: type/chore, dependencies, javascript
Description:
What is this feature?
Upgrades the transitive protobufjs dependency from 7.6.0 to 7.6.4. This fixes two CVEs, CVE-2026-48712 (high) and CVE-2026-54269 (medium), both denial-of-service issues in protobuf message-to-object conversion.
Why do we need this feature?
So we don't ship a protobufjs with known DoS vulnerabilities.
Who is this feature for?
Grafana maintainers
Which issue(s) does this PR fix?:
<!--
- Automatically closes linked issue when the Pull Reques...
Analysis
Vulnerability Type: Denial of Service
Severity: High
Description
This commit upgrades the protobufjs dependency from version 7.6.0 to 7.6.4, fixing two known denial-of-service vulnerabilities (CVE-2026-48712 and CVE-2026-54269). Before the update, an attacker could exploit flaws in protobuf message-to-object conversion to cause high CPU or memory usage, leading to service outages.
Affected Code
protobufjs@npm:^7.2.5:
version: 7.6.0
resolution: "protobufjs@npm:7.6.0"
Proof of Concept
Send a specially crafted protobuf message payload that triggers excessive processing during message-to-object conversion, causing the protobufjs library (version 7.6.0) to enter a resource-intensive loop or consume excessive memory, resulting in application slowdown or crash.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T12:01:21.340Z
Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: b3db028
Author: Hugo Häggmark
Date: 2026-06-16T09:32:43Z
Commit Message
Pull Request
PR: #126531 - [main] chore(deps): Upgrade protobufjs to 7.6.4
Labels: type/chore, dependencies, javascript
Description:
What is this feature?
Upgrades the transitive
protobufjsdependency from7.6.0to7.6.4. This fixes two CVEs,CVE-2026-48712(high) andCVE-2026-54269(medium), both denial-of-service issues in protobuf message-to-object conversion.Why do we need this feature?
So we don't ship a
protobufjswith known DoS vulnerabilities.Who is this feature for?
Grafana maintainers
Which issue(s) does this PR fix?:
<!--
Analysis
Vulnerability Type: Denial of Service
Severity: High
Description
This commit upgrades the protobufjs dependency from version 7.6.0 to 7.6.4, fixing two known denial-of-service vulnerabilities (CVE-2026-48712 and CVE-2026-54269). Before the update, an attacker could exploit flaws in protobuf message-to-object conversion to cause high CPU or memory usage, leading to service outages.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T12:01:21.340Z