GHSA-XQ3M-2V4X-88GG: CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs

CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs

Vulnerability ID: GHSA-XQ3M-2V4X-88GG
CVSS Score: 9.8
Published: 2026-04-16

CVE-2026-41242 is a critical code injection vulnerability in protobufjs. The library compiles custom serialization functions at runtime using the Function constructor. Prior to versions 7.5.5 and 8.0.1, dynamic type names were not sanitized, allowing an attacker to inject arbitrary JavaScript via crafted schema definitions, leading to remote code execution.

TL;DR

Unsanitized type names in protobufjs schemas allow attackers to inject and execute arbitrary JavaScript during dynamic code compilation.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-94
• Attack Vector: Network
• CVSS v3.1 Score: 9.8
• EPSS Score: 0.00026
• Exploit Status: PoC
• CISA KEV Status: Not Listed
• Impact: Unauthenticated Remote Code Execution

Affected Systems

• Node.js applications using protobufjs prior to 7.5.5
• Node.js applications using protobufjs 8.0.0-experimental
• protobufjs: < 7.5.5 (Fixed in: 7.5.5)
• protobufjs: >= 8.0.0-experimental < 8.0.1 (Fixed in: 8.0.1)

Code Analysis

Commit: 535df44

Sanitize the type name in the Type constructor using regular expressions to replace non-word characters.

@@ -29,6 +29,7 @@ var Enum      = require("./enum"),\n  * @param {Object.<string,*>} [options] Declared options\n  */\n function Type(name, options) {\n+    name = name.replace(/\\W/g, "");\n     Namespace.call(this, name, options);

Commit: ff7b2af

Sanitize type names in secondary compilation paths.

@@ -29,6 +29,7 @@ var Enum      = require("./enum"),\n  * @param {Object.<string,*>} [options] Declared options\n  */\n function Type(name, options) {\n+    name = name.replace(/\\W/g, "");\n     Namespace.call(this, name, options);

Exploit Details

• GitHub: Public Proof of Concept repository demonstrating remote code execution via dynamic schema parsing.

Mitigation Strategies

• Upgrade protobufjs to version 7.5.5, 8.0.1 or higher.
• Apply a runtime monkey patch to sanitize inputs if immediate upgrading is impossible.
• Block untrusted clients from uploading or modifying protobuf schemas.
• Utilize WAF rules to detect schema payloads containing JavaScript control characters.

Remediation Steps:

1. Identify all internal services and dependencies using protobufjs.
2. Update package.json and lockfiles to require protobufjs >= 7.5.5 or >= 8.0.1.
3. Run npm audit or yarn audit to verify that no vulnerable versions remain in the dependency tree.
4. Deploy the updated application to production environments.

References

• GitHub Advisory: Remote Code Execution in protobufjs
• Fix Commit (Mainline)
• Fix Commit (Secondary)
• Exploit Proof-of-Concept Repository
• NVD - CVE-2026-41242
• CVE.org Record

---

Read the full report for GHSA-XQ3M-2V4X-88GG on our website for more details including interactive diagrams and full exploit analysis.