CVE-2026-41242

critical

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5

https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956

https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75

Details

Source: Mitre, NVD

Published: 2026-04-18

Updated: 2026-04-18

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.4

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Severity: Critical