{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41242", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.135Z", "datePublished": "2026-04-18T16:18:10.652Z", "dateUpdated": "2026-04-20T16:03:57.689Z"}, "containers": {"cna": {"title": "protobufjs has an arbitrary code execution issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"}, {"name": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"}, {"name": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"}, {"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"}, {"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.5.5", "status": "affected"}, {"version": ">= 8.0.0-experimental, < 8.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T16:18:10.652Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue."}], "source": {"advisory": "GHSA-xq3m-2v4x-88gg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:03:39.054181Z", "id": "CVE-2026-41242", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:03:57.689Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41242", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.135Z", "datePublished": "2026-04-18T16:18:10.652Z", "dateUpdated": "2026-04-20T16:03:57.689Z"}, "containers": {"cna": {"title": "protobufjs has an arbitrary code execution issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"}, {"name": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"}, {"name": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"}, {"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"}, {"name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"}], "affected": [{"vendor": "protobufjs", "product": "protobuf.js", "versions": [{"version": "< 7.5.5", "status": "affected"}, {"version": ">= 8.0.0-experimental, < 8.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T16:18:10.652Z"}, "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue."}], "source": {"advisory": "GHSA-xq3m-2v4x-88gg", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41242", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:03:39.054181Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:03:52.059Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue."}], "id": "CVE-2026-41242", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T17:16:13.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"}, {"source": "security-advisories@github.com", "url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"}, {"source": "security-advisories@github.com", "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0-experimental,8.0.1)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "protobuf.js", "source": "cna", "vendor": "protobufjs"}, "product": "protobuf", "vendor": "protobuf"}], "analysis": {"en": {"generated_at": "2026-04-18T20:02:34.879036+00:00", "value": {"mitigation_remediation": ["Upgrade protobuf.js to at least version 8.0.1 or 7.5.5, applying the new releases that patch the code injection flaw.", "If an immediate upgrade is not possible, reject or sanitize any untrusted protobuf definitions before decoding, ensuring that the \"type\" field cannot contain executable code.", "Run vulnerability scanning to detect any remaining use of older releases.", "Consider executing the decoding logic in a sandboxed process or environment with limited privileges to reduce potential impact."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all deployments of protobuf.js that use a version earlier than 8.0.1 or 7.5.5. The affected product is protobufjs: protobuf.js. Validated mitigations are available in releases 7.5.5 and 8.0.1, which remove the ability to inject code via the \"type\" field.", "description_and_impact": "The protobuf.js library transforms protobuf definitions into JavaScript functions for decoding messages. In versions older than 8.0.1 and 7.5.5, a malicious actor can insert executable code into the \"type\" fields of a protobuf definition. When a payload is decoded using that definition, the injected code runs in the context of the application, leading to arbitrary code execution. This flaw is identified as code injection (CWE-94).", "risk_and_exploitability": "The CVSS score of 9.4 indicates a critical severity. Although a current EPSS score is not available, the high CVSS rating and the ability to execute code from user-supplied definitions suggest a high likelihood of exploitation, especially in environments where untrusted protobuf data is parsed. The vulnerability is not listed in CISA\u2019s KEV catalog, but that does not reduce its potential impact. The attack vector is likely local or by delivering malicious protobuf messages to an application that decodes them, making any process with access to such messages a potential target."}}}}, "created": "2026-04-18T20:15:09.537385+00:00", "updated": "2026-04-20T14:45:08.998588+00:00", "vendors": ["protobuf", "protobuf$PRODUCT$protobuf"]}