CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75	Patch
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956	Patch
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5	Product Release Notes
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1	Product Release Notes
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs:8.0.0:::::node.js::

History

23 Apr 2026, 15:26

Type	Values Removed	Values Added
First Time		Protobufjs Project Protobufjs Project protobufjs
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:protobufjs_project:protobufjs::::::node.js::* cpe:2.3:a:protobufjs_project:protobufjs:8.0.0:::::node.js::
References	~~() https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75 -~~	() https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75 - Patch
References	~~() https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956 -~~	() https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956 - Patch
References	~~() https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 -~~	() https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 - Product, Release Notes
References	~~() https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 -~~	() https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 - Product, Release Notes
References	~~() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg -~~	() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg - Exploit, Vendor Advisory

18 Apr 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-18 17:16

Updated : 2026-04-23 15:26

NVD link : CVE-2026-41242

Mitre link : CVE-2026-41242

CVE.ORG link : CVE-2026-41242

JSON object : View

Products Affected

protobufjs_project

protobufjs

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10