Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 1,242 npm packages depend on protobufjs (72 direct, 1,171 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionCVE.org
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Articles & Coverage 1
AnalysisAI
Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. CVSS 9.4 (Critical) reflects chained impact across multiple security boundaries (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H), though exploitation requires authenticated access (PR:L) to inject malicious protobuf definitions. No active exploitation confirmed (not in CISA KEV); vendor-released patches available.
Technical ContextAI
Protobufjs (protobuf.js) is a widely-used JavaScript implementation of Protocol Buffers, Google's data serialization format. The library compiles .proto definition files into JavaScript code for efficient encoding/decoding. This vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically insufficient sanitization of the 'type' field in protobuf schema definitions before code generation. When protobufjs compiles a malicious protobuf definition containing injected JavaScript in type fields, that code becomes part of the generated decoder function. Subsequent calls to decode messages using the compromised definition trigger execution of the attacker-controlled code within the Node.js or browser JavaScript runtime. The CPE identifies protobufjs (protobuf.js) library across all versions prior to the patches, affecting any application that accepts and compiles user-supplied or untrusted protobuf definitions.
RemediationAI
Upgrade immediately to protobufjs version 7.5.5 (for 7.x users) or 8.0.1 (for 8.x users), available at https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1 respectively. Vendor-released patches in commits 535df444ac and ff7b2afef8 implement input validation to sanitize 'type' fields before code generation. If immediate patching is not feasible, implement compensating controls: restrict protobuf definition sources to trusted administrators only (eliminate user-supplied or external schema sources), implement strict input validation on any protobuf schema uploads or API endpoints that accept .proto files, run protobuf compilation processes in sandboxed environments with minimal privileges (containers with restricted capabilities, separate service accounts with no access to sensitive data), and deploy runtime application self-protection (RASP) or Content Security Policy (CSP) in browser contexts to limit damage from successful code injection. Note that access control changes may break legitimate workflows where developers or API consumers provide schemas; evaluate business impact before deployment. Schema validation alone is insufficient if attackers can bypass filters-patching remains the definitive solution.
More in Protobuf Js
View allDenial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/brow
Uncontrolled recursion in protobufjs versions prior to 7.5.8 and 8.2.0 allows remote attackers to exhaust the JavaScript
Prototype pollution in protobuf.js versions 8.2.0 through 8.6.4 allows network-reachable attackers to corrupt JavaScript
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23678
GHSA-xq3m-2v4x-88gg