CVE 9.4 CRITICAL

protobufjs has an arbitrary code execution issue_CVE-2026-41242

April 18, 2026 invoker category_cve

9.4 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

AI Analysis

Arbitrary code execution vulnerability in protobufjs due to insecure handling of type fields in protobuf definitions

Basic Information

ID CVE-2026-41242

Source GitHub_M

Published Apr 18, 2026 at 16:18

Affected Product

Vendor protobufjs

Product protobuf.js

Version < 7.5.5

Affected Versions protobufjs protobuf.js < 7.5.5
protobufjs protobuf.js >= 8.0.0-experimental, < 8.0.1

CWE Classification

CWE-94

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor protobufjs

Product protobuf.js

Version < 7.5.5, >= 8.0.0-experimental, < 8.0.1

References

{
    "lastseen": "",
    "description": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.",
    "published": "2026-04-18T16:18:10.652Z",
    "modified": "2026-04-18T16:18:10.652Z",
    "type": "cve",
    "title": "protobufjs has an arbitrary code execution issue",
    "source": "GitHub_M",
    "references": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg\nhttps://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75\nhttps://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5\nhttps://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1",
    "id": "CVE-2026-41242",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "protobufjs protobuf.js < 7.5.5\nprotobufjs protobuf.js >= 8.0.0-experimental, < 8.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "protobuf.js",
    "version": "< 7.5.5",
    "vendor": "protobufjs",
    "ai_description": "Arbitrary code execution vulnerability in protobufjs due to insecure handling of type fields in protobuf definitions",
    "ai_severity": "Critical",
    "ai_vendor": "protobufjs",
    "ai_product": "protobuf.js",
    "ai_version": "< 7.5.5, >= 8.0.0-experimental, < 8.0.1",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply