DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-41242: CVE-2026-41242: Remote Code Execution via Code Injection in protobufjs

#security #cve #cybersecurity

CVE-2026-41242: Remote Code Execution via Code Injection in protobufjs

Vulnerability ID: CVE-2026-41242
CVSS Score: 9.4
Published: 2026-04-18

A critical remote code execution vulnerability in the protobufjs package allows unauthenticated attackers to execute arbitrary JavaScript within the Node.js runtime environment via maliciously crafted schema definitions.

TL;DR

protobufjs versions prior to 7.5.5 and 8.0.1 suffer from a code injection vulnerability (CWE-94) during dynamic code generation. Attackers can achieve RCE by supplying crafted Protobuf definitions containing unsanitized JavaScript syntax in type names.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • CVSS Score: 9.4
  • Attack Vector: Network
  • EPSS Percentile: 15.37%
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Node.js services processing dynamic Protobuf schemas
  • Multi-tenant RPC servers utilizing protobufjs
  • Applications loading schema definitions from external APIs
  • protobufjs: < 7.5.5 (Fixed in: 7.5.5)
  • protobufjs: >= 8.0.0-experimental, < 8.0.1 (Fixed in: 8.0.1)

Code Analysis

Commit: 535df44

Fix for main branch addressing arbitrary code execution by sanitizing the Type name input.

Commit: ff7b2af

Backport fix for 7.x branch addressing arbitrary code execution.

Exploit Details

  • GitHub: Proof of Concept repository demonstrating RCE via malicious descriptor.

Mitigation Strategies

  • Update protobufjs package to a patched version
  • Implement input validation and trust boundaries for schema parsing
  • Apply principle of least privilege to Node.js application processes

Remediation Steps:

  1. Identify all direct and transitive usages of protobufjs via dependency scanning.
  2. Update packages directly depending on protobufjs to versions 7.5.5 or 8.0.1.
  3. Audit application logic to ensure no user-controlled endpoints pass untrusted JSON or .proto strings to protobuf.Root.fromJSON().
  4. Harden the deployment environment by disabling unnecessary Node.js modules or running processes in read-only filesystems.

References

Read the full report for CVE-2026-41242 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)