CVE-2026-41242

CRITICAL

protobufjs has an arbitrary code execution issue

Title source: cna

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

References (5)

[X_Refsource_Confirm] https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

[X_Refsource_Misc] https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75

[X_Refsource_Misc] https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5

[X_Refsource_Misc] https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (5)

npm/protobufjs 8.0.0 - 8.0.1npm

protobufjs/protobuf.js < 7.5.5

protobufjs/protobuf.js >= 8.0.0-experimental, < 8.0.1

protobufjs_project/protobufjs 8.0.0

protobufjs_project/protobufjs < 7.5.5

Published Apr 18, 2026

Tracked Since Apr 18, 2026