Skip to main content

Protobuf Js CVE-2026-41242

| EUVDEUVD-2026-23678 CRITICAL
Code Injection (CWE-94)
2026-04-18 GitHub_M GHSA-xq3m-2v4x-88gg
9.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 23, 2026 - 15:26 vuln.today
Public exploit code
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 18, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 18:44 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 16:30 euvd
EUVD-2026-23678
Analysis Generated
Apr 18, 2026 - 16:30 vuln.today
CVE Published
Apr 18, 2026 - 16:18 nvd
CRITICAL 9.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

AnalysisAI

Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. CVSS 9.4 (Critical) reflects chained impact across multiple security boundaries (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H), though exploitation requires authenticated access (PR:L) to inject malicious protobuf definitions. No active exploitation confirmed (not in CISA KEV); vendor-released patches available.

Technical ContextAI

Protobufjs (protobuf.js) is a widely-used JavaScript implementation of Protocol Buffers, Google's data serialization format. The library compiles .proto definition files into JavaScript code for efficient encoding/decoding. This vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically insufficient sanitization of the 'type' field in protobuf schema definitions before code generation. When protobufjs compiles a malicious protobuf definition containing injected JavaScript in type fields, that code becomes part of the generated decoder function. Subsequent calls to decode messages using the compromised definition trigger execution of the attacker-controlled code within the Node.js or browser JavaScript runtime. The CPE identifies protobufjs (protobuf.js) library across all versions prior to the patches, affecting any application that accepts and compiles user-supplied or untrusted protobuf definitions.

RemediationAI

Upgrade immediately to protobufjs version 7.5.5 (for 7.x users) or 8.0.1 (for 8.x users), available at https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 respectively. Vendor-released patches in commits 535df444ac and ff7b2afef8 implement input validation to sanitize 'type' fields before code generation. If immediate patching is not feasible, implement compensating controls: restrict protobuf definition sources to trusted administrators only (eliminate user-supplied or external schema sources), implement strict input validation on any protobuf schema uploads or API endpoints that accept .proto files, run protobuf compilation processes in sandboxed environments with minimal privileges (containers with restricted capabilities, separate service accounts with no access to sensitive data), and deploy runtime application self-protection (RASP) or Content Security Policy (CSP) in browser contexts to limit damage from successful code injection. Note that access control changes may break legitimate workflows where developers or API consumers provide schemas; evaluate business impact before deployment. Schema validation alone is insufficient if attackers can bypass filters-patching remains the definitive solution.

Vendor StatusVendor

Share

CVE-2026-41242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy