CVE-2026-41242
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk50th percentile — higher than 50% of all known CVEs
Summary
A vulnerability in the protobufjs library allows arbitrary JavaScript code injection via specially crafted 'type' fields in protobuf definitions. The code executes during object decoding using that definition. The issue is fixed in versions 8.0.1 and 7.5.5.
Risk Assessment
An attacker can remotely execute arbitrary JavaScript code in the context of the application using protobufjs, leading to system compromise, data theft, or further attack propagation.
Recommendation
Immediately update protobufjs to version 8.0.1 or 7.5.5. Before updating, review any protobuf definitions from untrusted sources for malicious content.
Original NVD description (English source)
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

