Critical severity9.8NVD Advisory· Published Apr 18, 2026· Updated Apr 23, 2026

CVE-2026-41242

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
protobufjsnpm	>= 8.0.0, < 8.0.1	8.0.1
protobufjsnpm	< 7.5.5	7.5.5

Affected products

Protobufjs Project/Protobufjs2 versions
cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*range: <7.5.5
- cpe:2.3:a:protobufjs_project:protobufjs:8.0.0:*:*:*:*:node.js:*:*

Patches

ff7b2afef875

fix: filter invalid characters from the type name (#2127)

https://github.com/protobufjs/protobuf.jsAlexander FensterMar 11, 2026via ghsa

commit

1 file changed · +1 −0

src/type.js+1 −0 modified

@@ -29,6 +29,7 @@ var Enum      = require("./enum"),
  * @param {Object.<string,*>} [options] Declared options
  */
 function Type(name, options) {
+    name = name.replace(/\W/g, "");
     Namespace.call(this, name, options);
 
     /**

535df444ac06

fix: filter invalid characters from the type name (#2127)

https://github.com/protobufjs/protobuf.jsAlexander FensterMar 11, 2026via ghsa

commit

1 file changed · +1 −0

src/type.js+1 −0 modified

@@ -29,6 +29,7 @@ var Enum      = require("./enum"),
  * @param {Object.<string,*>} [options] Declared options
  */
 function Type(name, options) {
+    name = name.replace(/\W/g, "");
     Namespace.call(this, name, options);
 
     /**

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75nvdPatchWEB
github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956nvdPatchWEB
github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88ggnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-xq3m-2v4x-88ggghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41242ghsaADVISORY
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5nvdProductRelease NotesWEB
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

Severity

CriticalCVSS v3.1

9.8/ 10

CVSS v49.4

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.57high

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-41242

Source code

github.com/protobufjs/protobuf.js

Credits

C
cristianstaicu
reporter · ghsa
A
alexander-fenster
remediation_developer · ghsa
S
sofisl
remediation_reviewer · ghsa