CVE-2026-41242: CWE-94: Improper Control of Generation of Code ('Code Injection') in protobufjs protobuf.js
CVE-2026-41242 is a critical code injection vulnerability in protobufjs's protobuf. js library. Versions prior to 7. 5. 5 and between 8. 0. 0-experimental and before 8. 0. 1 allow attackers to inject arbitrary code via the "type" fields in protobuf definitions. This injected code executes during object decoding, posing a severe security risk.
AI Analysis
Technical Summary
protobufjs compiles protobuf definitions into JavaScript functions. In affected versions (<7.5.5 and >=8.0.0-experimental but <8.0.1), attackers can exploit improper control of code generation (CWE-94) by injecting arbitrary code into the "type" fields of protobuf definitions. This code executes during the decoding process, enabling potential remote code execution or other malicious actions. The vulnerability is rated critical with a CVSS 4.0 score of 9.4. Although no direct patch links or vendor advisories are provided, the issue is fixed starting from versions 7.5.5 and 8.0.1.
Potential Impact
Successful exploitation allows attackers to execute arbitrary code during protobuf object decoding, which can lead to remote code execution or compromise of the host environment. The vulnerability affects the integrity and security of applications using vulnerable protobuf.js versions, potentially resulting in full system compromise depending on the context of use.
Mitigation Recommendations
Upgrade protobuf.js to version 7.5.5 or later, or to 8.0.1 or later, as these versions include fixes for this vulnerability. Since no official vendor advisory or patch link is provided, verify the upgrade path with the protobufjs project repository or official channels. Avoid using vulnerable versions in production environments. Patch status is not explicitly confirmed beyond the version numbers stated; check the vendor repository or official protobufjs communications for the latest remediation guidance.
CVE-2026-41242: CWE-94: Improper Control of Generation of Code ('Code Injection') in protobufjs protobuf.js
Description
CVE-2026-41242 is a critical code injection vulnerability in protobufjs's protobuf. js library. Versions prior to 7. 5. 5 and between 8. 0. 0-experimental and before 8. 0. 1 allow attackers to inject arbitrary code via the "type" fields in protobuf definitions. This injected code executes during object decoding, posing a severe security risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
protobufjs compiles protobuf definitions into JavaScript functions. In affected versions (<7.5.5 and >=8.0.0-experimental but <8.0.1), attackers can exploit improper control of code generation (CWE-94) by injecting arbitrary code into the "type" fields of protobuf definitions. This code executes during the decoding process, enabling potential remote code execution or other malicious actions. The vulnerability is rated critical with a CVSS 4.0 score of 9.4. Although no direct patch links or vendor advisories are provided, the issue is fixed starting from versions 7.5.5 and 8.0.1.
Potential Impact
Successful exploitation allows attackers to execute arbitrary code during protobuf object decoding, which can lead to remote code execution or compromise of the host environment. The vulnerability affects the integrity and security of applications using vulnerable protobuf.js versions, potentially resulting in full system compromise depending on the context of use.
Mitigation Recommendations
Upgrade protobuf.js to version 7.5.5 or later, or to 8.0.1 or later, as these versions include fixes for this vulnerability. Since no official vendor advisory or patch link is provided, verify the upgrade path with the protobufjs project repository or official channels. Avoid using vulnerable versions in production environments. Patch status is not explicitly confirmed beyond the version numbers stated; check the vendor repository or official protobufjs communications for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T03:47:03.135Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e46a7a19fe3cd2cde33d17
Added to database: 4/19/2026, 5:39:06 AM
Last enriched: 4/19/2026, 5:39:13 AM
Last updated: 4/19/2026, 7:57:26 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.