Ghostwire

CVE-2026-41242: protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers...

MEDIUM CVSS 0.0 Exploit Available

Published: April 18, 2026 | Last Modified: April 18, 2026

Description

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Ghostwire Analysis — What This Means Practically

Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References

github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d7
github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab47795
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
www.tenable.com/cve/CVE-2026-41242
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-41242