Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Published: 2026-04-18
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The protobuf.js library transforms protobuf definitions into JavaScript functions for decoding messages. In versions older than 8.0.1 and 7.5.5, a malicious actor can insert executable code into the "type" fields of a protobuf definition. When a payload is decoded using that definition, the injected code runs in the context of the application, leading to arbitrary code execution. This flaw is identified as code injection (CWE-94).

Affected Systems

The vulnerability affects all deployments of protobuf.js that use a version earlier than 8.0.1 or 7.5.5. The affected product is protobufjs: protobuf.js. Validated mitigations are available in releases 7.5.5 and 8.0.1, which remove the ability to inject code via the "type" field.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical severity. Although a current EPSS score is not available, the high CVSS rating and the ability to execute code from user-supplied definitions suggest a high likelihood of exploitation, especially in environments where untrusted protobuf data is parsed. The vulnerability is not listed in CISA’s KEV catalog, but that does not reduce its potential impact. The attack vector is likely local or by delivering malicious protobuf messages to an application that decodes them, making any process with access to such messages a potential target.

Generated by OpenCVE AI on April 18, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobuf.js to at least version 8.0.1 or 7.5.5, applying the new releases that patch the code injection flaw.
  • If an immediate upgrade is not possible, reject or sanitize any untrusted protobuf definitions before decoding, ensuring that the "type" field cannot contain executable code.
  • Run vulnerability scanning to detect any remaining use of older releases.
  • Consider executing the decoding logic in a sandboxed process or environment with limited privileges to reduce potential impact.

Generated by OpenCVE AI on April 18, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xq3m-2v4x-88gg Arbitrary code execution in protobufjs
History

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Title protobufjs has an arbitrary code execution issue
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T16:18:10.652Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41242

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T17:16:13.983

Modified: 2026-04-18T17:16:13.983

Link: CVE-2026-41242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses