Platform
nodejs
Component
protobufjs
Fixed in
7.5.6
8.0.1
8.0.1
CVE-2026-41242 is a critical remote code execution (RCE) vulnerability affecting the protobufjs library in Node.js. The vulnerability arises from insufficient validation during the generation of JavaScript code from protobuf schema metadata. An attacker can exploit this by providing a crafted JSON descriptor, potentially leading to arbitrary code execution within the application's process. Affected versions include 8.0.0 through 8.0.1; upgrading to version 7.5.5 resolves the issue.
The impact of CVE-2026-41242 is severe. An attacker who can control the protobuf definition or JSON descriptor loaded by an application using protobufjs can execute arbitrary JavaScript code. This allows for complete compromise of the application and potentially the underlying server. Attackers could steal sensitive data, install malware, or gain persistent access. The ability to control the protobuf schema makes this vulnerability particularly dangerous, as it bypasses typical input validation mechanisms. This is similar to other deserialization vulnerabilities where malicious data can be injected to execute arbitrary code.
CVE-2026-41242 was publicly disclosed on 2026-04-16. The EPSS score is likely to be high due to the ease of exploitation and the potential for widespread impact. Public proof-of-concept (PoC) code is expected to emerge quickly, further increasing the risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-41242 is to upgrade to protobufjs version 7.5.5 or later. If upgrading is not immediately feasible, consider implementing strict input validation on any protobuf definitions or JSON descriptors received from untrusted sources. This could involve whitelisting allowed type names and references. Additionally, review your application's protobuf usage to ensure that you are not inadvertently exposing schema loading to external control. After upgrading, confirm the fix by attempting to load a known malicious protobuf definition and verifying that it no longer triggers code execution.
Update to version 8.0.1 or higher, or to version 7.5.5 to mitigate the arbitrary code execution vulnerability. This vulnerability allows malicious code injection into the 'type' fields of protobuf definitions, which is executed during object decoding. The update patches this issue.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41242 is a critical remote code execution vulnerability in the protobufjs library for Node.js, allowing attackers to execute arbitrary JavaScript code by crafting malicious protobuf schema metadata.
You are affected if you are using protobufjs versions 8.0.0 through 8.0.1 in your Node.js application and load protobuf definitions or JSON descriptors from untrusted sources.
Upgrade to protobufjs version 7.5.5 or later. If immediate upgrade isn't possible, implement strict input validation on protobuf definitions and descriptors.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation, and monitoring is crucial.
Refer to the official protobufjs project's security advisories and GitHub repository for updates and detailed information: [https://github.com/protobufjs/protobufjs](https://github.com/protobufjs/protobufjs)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.