Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
CVE-2026-41242: protobufjs Allows Malicious Code Execution Through Protobuf Definitions
CVE-2026-41242
Summary
Protobufjs versions before 8.0.1 and 7.5.5 can execute malicious code if you use a specially crafted protobuf definition. This can happen if you allow users to input or upload such definitions. To fix this, upgrade to version 8.0.1 or 7.5.5.
Original title
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, whic...
Original description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
nvd CVSS4.0
9.4
Vulnerability type
CWE-94
Code Injection
- https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205...
- https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd11...
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88g...
Published: 18 Apr 2026 · Updated: 2 Jul 2026 · First seen: 18 Apr 2026