CVE-2026-41242 | THREATINT

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

PUBLISHED Reserved 2026-04-18 | Published 2026-04-18 | Updated 2026-04-20 | Assigner GitHub_M

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 7.5.5

affected

>= 8.0.0-experimental, < 8.0.1

affected

References

github.com/...buf.js/security/advisories/GHSA-xq3m-2v4x-88gg

github.com/...ommit/535df444ac060243722ac5d672db205e5c531d75

github.com/...ommit/ff7b2afef8754837cc6dc64c864cd111ab477956

github.com/...fjs/protobuf.js/releases/tag/protobufjs-v7.5.5

github.com/...fjs/protobuf.js/releases/tag/protobufjs-v8.0.1

cve.org (CVE-2026-41242)

nvd.nist.gov (CVE-2026-41242)

Download JSON