Vulnerability Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Protobufjs Project | Protobufjs | < 7.5.5 |
Related Weaknesses (CWE)
References
- https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205Patch
- https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd11Patch
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gExploitVendor Advisory
FAQ
What is CVE-2026-41242?
CVE-2026-41242 is a vulnerability with a CVSS score of 9.8 (CRITICAL). protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which w...
How severe is CVE-2026-41242?
CVE-2026-41242 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41242?
Check the references section above for vendor advisories and patch information. Affected products include: Protobufjs Project Protobufjs.