Plattform
nodejs
Komponente
protobufjs
Behoben in
7.5.6
8.0.1
8.0.1
CVE-2026-41242 is a critical remote code execution (RCE) vulnerability affecting the protobufjs library in Node.js. The vulnerability arises from insufficient validation during the generation of JavaScript code from protobuf schema metadata. An attacker can exploit this by providing a crafted JSON descriptor, potentially leading to arbitrary code execution within the application's process. Affected versions include 8.0.0 through 8.0.1; upgrading to version 7.5.5 resolves the issue.
The impact of CVE-2026-41242 is severe. Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of the application using protobufjs. This can lead to complete system compromise, including data theft, modification, and denial of service. The attack vector requires control over the protobuf schema or descriptor being loaded, making it particularly dangerous in scenarios where applications dynamically load or process protobuf data from untrusted sources. This vulnerability shares similarities with other deserialization vulnerabilities where crafted input can lead to code execution, but the specific mechanism involves protobuf schema metadata manipulation.
CVE-2026-41242 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium to high, given the CRITICAL CVSS score and the potential for remote code execution. Public proof-of-concept (PoC) exploits are likely to emerge, increasing the risk of exploitation. The vulnerability was publicly disclosed on 2026-04-16.
Applications built on Node.js that utilize the protobufjs library, particularly those that load protobuf definitions or JSON descriptors from external or untrusted sources, are at significant risk. This includes microservices, API gateways, and any application that processes data serialized using Protocol Buffers.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object -ExpandProperty CommandLine | Select-String -Pattern 'require\("protobufjs"\)'• nodejs / supply-chain:
Get-WinEvent -LogName Application -FilterXPath '//Event[System[Provider[@Name='Node.js']]]'• generic web: Inspect Node.js application code for instances where protobufjs is used to load descriptors from external sources. • generic web: Review application logs for any errors or warnings related to protobufjs schema parsing or code generation.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-41242 is to upgrade to protobufjs version 7.5.5 or later. If upgrading is not immediately feasible, consider implementing input validation to sanitize protobuf schema metadata before processing. This could involve restricting allowed type names and references or using a more secure protobuf parsing library. Additionally, review application code to ensure that protobuf data is only loaded from trusted sources. There are no specific WAF rules or detection signatures readily available, so robust input validation is crucial. After upgrading, confirm the fix by attempting to load a known malicious protobuf descriptor and verifying that it no longer triggers code execution.
Aktualisieren Sie auf Version 8.0.1 oder höher oder auf Version 7.5.5, um die Schwachstelle zur Ausführung von beliebigem Code zu beheben. Diese Schwachstelle ermöglicht die Einspeisung von bösartigem Code in die 'type'-Felder von protobuf-Definitionen, der während der Objektdkodierung ausgeführt wird. Das Update behebt dieses Problem.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-41242 is a critical remote code execution vulnerability in the protobufjs library for Node.js, allowing attackers to execute arbitrary JavaScript code by crafting malicious protobuf schema metadata.
You are affected if you are using protobufjs versions 8.0.0 through 8.0.1 in your Node.js application and load protobuf definitions or JSON descriptors from untrusted sources.
Upgrade to protobufjs version 7.5.5 or later. If immediate upgrade isn't possible, implement strict input validation on protobuf definitions and descriptors.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation, and monitoring is crucial.
Refer to the official protobufjs project's security advisories and GitHub repository for updates and detailed information: [https://github.com/protobufjs/protobufjs](https://github.com/protobufjs/protobufjs)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.