CVE-2026-41242: Arbitrary code execution in protobufjs
(updated )
protobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.
References
- github.com/advisories/GHSA-xq3m-2v4x-88gg
- github.com/protobufjs/protobuf.js
- github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
- github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
- github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
- nvd.nist.gov/vuln/detail/CVE-2026-41242
Code Behaviors & Features
Detect and mitigate CVE-2026-41242 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →