Detections
Analytics

CVE-2026-41242

critical

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

References

https://hackread.com/52m-download-protobuf-js-library-rce-schema-handle/

https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5

https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956

https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75

Details

Source: Mitre, NVD

Published: 2026-04-18

Updated: 2026-04-23

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.4

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Severity: Critical

EPSS

EPSS: 0.0005

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored