{"uuid": "bc70878e-3fcc-4fe1-8a95-ed0d24b64c10", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XQ3M-2V4X-88GG", "type": "seen", "source": "https://gist.github.com/alon710/f442847fd0d81ee05bc55bd2cc39ff9c", "content": "# GHSA-XQ3M-2V4X-88GG: CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-04-16\n> **Full Report:** https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG\n\n## Summary\nCVE-2026-41242 is a critical code injection vulnerability in protobufjs. The library compiles custom serialization functions at runtime using the `Function` constructor. Prior to versions 7.5.5 and 8.0.1, dynamic type names were not sanitized, allowing an attacker to inject arbitrary JavaScript via crafted schema definitions, leading to remote code execution.\n\n## TL;DR\nUnsanitized type names in protobufjs schemas allow attackers to inject and execute arbitrary JavaScript during dynamic code compilation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.8\n- **EPSS Score**: 0.00026\n- **Exploit Status**: PoC\n- **CISA KEV Status**: Not Listed\n- **Impact**: Unauthenticated Remote Code Execution\n\n## Affected Systems\n\n- Node.js applications using protobufjs prior to 7.5.5\n- Node.js applications using protobufjs 8.0.0-experimental\n- **protobufjs**: < 7.5.5 (Fixed in: `7.5.5`)\n- **protobufjs**: >= 8.0.0-experimental < 8.0.1 (Fixed in: `8.0.1`)\n\n## Mitigation\n\n- Upgrade protobufjs to version 7.5.5, 8.0.1 or higher.\n- Apply a runtime monkey patch to sanitize inputs if immediate upgrading is impossible.\n- Block untrusted clients from uploading or modifying protobuf schemas.\n- Utilize WAF rules to detect schema payloads containing JavaScript control characters.\n\n**Remediation Steps:**\n1. Identify all internal services and dependencies using protobufjs.\n2. Update package.json and lockfiles to require protobufjs >= 7.5.5 or >= 8.0.1.\n3. Run npm audit or yarn audit to verify that no vulnerable versions remain in the dependency tree.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Advisory: Remote Code Execution in protobufjs](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg)\n- [Fix Commit (Mainline)](https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75)\n- [Fix Commit (Secondary)](https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956)\n- [Exploit Proof-of-Concept Repository](https://github.com/4chech/CVE-2026-41242)\n- [NVD - CVE-2026-41242](https://nvd.nist.gov/vuln/detail/CVE-2026-41242)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-41242)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T11:02:14.000000Z"}