QwikSec

Security Database

CVE

CWE

Training

CVE-2026-41242

Published: Apr 18, 2026

Modified: Apr 20, 2026

PUBLISHED

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Vendor	Product	Versions
protobufjs	protobuf.js	affected `< 7.5.5` affected `>= 8.0.0-experimental, < 8.0.1`

Weaknesses (CWE)

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

x_refsource_CONFIRM

https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75

x_refsource_MISC

https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956

x_refsource_MISC

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5

x_refsource_MISC

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.