{"vulnerability": "GHSA-XQ3M-2V4X-88GG", "sightings": [{"uuid": "9782b933-6e95-413a-b99a-0d557032136b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XQ3M-2V4X-88GG", "type": "published-proof-of-concept", "source": "https://t.me/true_secator/8120", "content": "\u0412\u044b\u0448\u0435\u043b PoC \u0434\u043b\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0439 RCE-\u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 protobuf.js, \u0448\u0438\u0440\u043e\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u043e\u0439 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 Protocol Buffers \u043e\u0442 Google \u043d\u0430 JavaScript.\n\n\u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043e\u0433\u0440\u043e\u043c\u043d\u043e\u0439 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0441\u0442\u044c\u044e \u0432 \u0440\u0435\u0435\u0441\u0442\u0440\u0435 Node Package Manager (npm), \u0435\u0433\u043e\u00a0\u0441\u043a\u0430\u0447\u0438\u0432\u0430\u044e\u0442 \u0432 \u0441\u0440\u0435\u0434\u043d\u0435\u043c \u043e\u043a\u043e\u043b\u043e 50 \u043c\u043b\u043d. \u0440\u0430\u0437 \u0432 \u043d\u0435\u0434\u0435\u043b\u044e.\n\n\u0417\u0430\u0434\u0435\u0439\u0441\u0442\u0432\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u043c\u0435\u0436\u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0433\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f, \u0432 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u0445 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0432\u0440\u0435\u043c\u0435\u043d\u0438, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0434\u043b\u044f \u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0432 \u0431\u0430\u0437\u0430\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438 \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0430\u0445.\n\n\u0412 \u043e\u0442\u0447\u0435\u0442\u0435 Endor Labs \u043e\u0442\u043c\u0435\u0447\u0435\u043d\u043e, \u0447\u0442\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0432 protobuf.js \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u043a\u043e\u0434\u0430. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u043a\u0430 \u043d\u0435 \u043f\u0440\u0438\u0441\u0432\u043e\u0435\u043d CVE, \u0438 \u0432 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0435\u0435 \u0432\u0440\u0435\u043c\u044f \u043e\u043d\u0430 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a GHSA-xq3m-2v4x-88gg (\u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440, \u043f\u0440\u0438\u0441\u0432\u043e\u0435\u043d\u043d\u044b\u0439 GitHub).\n\n\u041a\u0430\u043a \u043f\u043e\u044f\u0441\u043d\u044f\u0435\u0442 Endor Labs, \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430 \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 JavaScript \u0438\u0437 \u0441\u0445\u0435\u043c protobuf \u043f\u0443\u0442\u0435\u043c \u043a\u043e\u043d\u043a\u0430\u0442\u0435\u043d\u0430\u0446\u0438\u0438 \u0441\u0442\u0440\u043e\u043a \u0438 \u0438\u0445 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0447\u0435\u0440\u0435\u0437 \u043a\u043e\u043d\u0441\u0442\u0440\u0443\u043a\u0442\u043e\u0440 Function(), \u043d\u043e \u043e\u043d\u0430 \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0435 \u0438\u0437 \u0441\u0445\u0435\u043c, \u0442\u0430\u043a\u0438\u0435 \u043a\u0430\u043a \u0438\u043c\u0435\u043d\u0430 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439.\n\n\u042d\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0443\u044e \u0441\u0445\u0435\u043c\u0443, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043d\u0435\u0434\u0440\u044f\u0435\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0432 \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u0443\u044e \u0444\u0443\u043d\u043a\u0446\u0438\u044e, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0437\u0430\u0442\u0435\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f, \u043a\u043e\u0433\u0434\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u044d\u0442\u0443 \u0441\u0445\u0435\u043c\u0443.\n\n\u0427\u0442\u043e \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u0442 \u043f\u0443\u0442\u044c \u043a RCE \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0438\u043b\u0438 \u0432 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u0445, \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u044e\u0449\u0438\u0445 \u0441\u0445\u0435\u043c\u044b, \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u043e\u0434 \u0432\u043b\u0438\u044f\u043d\u0438\u0435\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430, \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u043c \u0441\u0440\u0435\u0434\u044b, \u0443\u0447\u0435\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u0431\u0430\u0437\u0430\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0438 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u043c, \u0438 \u0434\u0430\u0436\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u0433\u043e\u0440\u0438\u0437\u043e\u043d\u0442\u0430\u043b\u044c\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u0449\u0435\u043d\u0438\u0435 \u0432\u043d\u0443\u0442\u0440\u0438 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b.\n\n\u0410\u0442\u0430\u043a\u0430 \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u0442\u0440\u043e\u043d\u0443\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u044b \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432, \u0435\u0441\u043b\u0438 \u043e\u043d\u0438 \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u044e\u0442 \u0438 \u0434\u0435\u043a\u043e\u0434\u0438\u0440\u0443\u044e\u0442 \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0435 \u0441\u0445\u0435\u043c\u044b \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 protobuf.js 8.0.0/7.5.4 \u0438 \u043d\u0438\u0436\u0435. Endor Labs \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442 \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c\u0441\u044f \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0439 8.0.1 \u0438 7.5.5, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u044d\u0442\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430.\n\n\u041f\u0430\u0442\u0447 \u043e\u0447\u0438\u0449\u0430\u0435\u0442 \u0438\u043c\u0435\u043d\u0430 \u0442\u0438\u043f\u043e\u0432, \u0443\u0434\u0430\u043b\u044f\u044f \u043d\u0435\u0431\u0443\u043a\u0432\u0435\u043d\u043d\u043e-\u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0435 \u0441\u0438\u043c\u0432\u043e\u043b\u044b, \u0447\u0442\u043e \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u0437\u0430\u043a\u0440\u044b\u0442\u0438\u0435 \u0441\u0438\u043d\u0442\u0435\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c. \n\n\u041e\u0434\u043d\u0430\u043a\u043e Endor Labs \u043e\u0442\u043c\u0435\u0447\u0430\u0435\u0442, \u0447\u0442\u043e \u0431\u043e\u043b\u0435\u0435 \u0434\u043e\u043b\u0433\u043e\u0441\u0440\u043e\u0447\u043d\u044b\u043c \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c \u0431\u044b\u043b\u043e \u0431\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u0435\u043a\u0440\u0430\u0442\u0438\u0442\u044c \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0443 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u0432 \u0447\u0435\u0440\u0435\u0437 Function.\n\n\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u044e\u0442, \u0447\u0442\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0434\u043e\u0432\u043e\u043b\u044c\u043d\u043e \u043e\u0447\u0435\u0432\u0438\u0434\u043d\u0430, \u0438 \u0447\u0442\u043e \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u0439 PoC, \u043a\u0430\u043a \u043e\u0442\u043c\u0435\u0447\u0435\u043d\u043e \u0432 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0438 \u044d\u0442\u043e \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0430\u0435\u0442. \u041e\u0434\u043d\u0430\u043a\u043e \u043d\u0430 \u0441\u0435\u0433\u043e\u0434\u043d\u044f\u0448\u043d\u0438\u0439 \u0434\u0435\u043d\u044c \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043d\u0435 \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u043b\u043e\u0441\u044c.\n\n\u041e\u0431 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0441\u043e\u043e\u0431\u0449\u0438\u043b \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c Endor Labs \u041a\u0440\u0438\u0441\u0442\u0438\u0430\u043d \u0421\u0442\u0430\u0439\u043a\u0443\u00a02 \u043c\u0430\u0440\u0442\u0430, \u0430 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u0438 \u043f\u0430\u0442\u0447 \u043d\u0430 GitHub 11 \u043c\u0430\u0440\u0442\u0430. \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0430\u043a\u0435\u0442\u043e\u0432 npm \u0441\u0442\u0430\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b 4 \u0430\u043f\u0440\u0435\u043b\u044f \u0434\u043b\u044f \u0432\u0435\u0442\u043a\u0438 8.x \u0438 15 \u0430\u043f\u0440\u0435\u043b\u044f \u0434\u043b\u044f \u0432\u0435\u0442\u043a\u0438 7.x.\n\n\u041f\u043e\u043c\u0438\u043c\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u0432\u0435\u0440\u0441\u0438\u0439, Endor Labs \u0442\u0430\u043a\u0436\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c \u0442\u0440\u0430\u043d\u0437\u0438\u0442\u0438\u0432\u043d\u044b\u0435 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438, \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0442\u044c \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u0441\u0445\u0435\u043c \u043a\u0430\u043a \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0439 \u0432\u0432\u043e\u0434 \u0438 \u043e\u0442\u0434\u0430\u0432\u0430\u0442\u044c \u043f\u0440\u0435\u0434\u043f\u043e\u0447\u0442\u0435\u043d\u0438\u0435 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0441\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c/\u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0441\u0445\u0435\u043c\u0430\u043c \u0432 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435.", "creation_timestamp": "2026-04-20T14:23:26.000000Z"}, {"uuid": "e428ad7b-b711-4764-babc-50764909d39f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "ghsa-xq3m-2v4x-88gg", "type": "seen", "source": "https://infosec.exchange/users/mttaggart/statuses/116427325979824661", "content": "", "creation_timestamp": "2026-04-18T19:20:09.117897Z"}, {"uuid": "df2f0d14-af73-488c-b96e-929bb434f5fd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-xq3m-2v4x-88gg", "type": "seen", "source": "https://bsky.app/profile/r-blueteamsec.bsky.social/post/3mjvsm7eyf42n", "content": "", "creation_timestamp": "2026-04-20T06:09:32.269918Z"}, {"uuid": "7441c39c-307c-45e2-91ff-16bb430e5f93", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "GHSA-xq3m-2v4x-88gg", "type": "confirmed", "source": "https://www.endorlabs.com/learn/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg", "content": "", "creation_timestamp": "2026-04-17T04:00:00.000000Z"}, {"uuid": "c6540136-c6b6-4a67-b873-d9fc5fe9b2aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "GHSA-xq3m-2v4x-88gg", "type": "published-proof-of-concept", "source": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg", "content": "", "creation_timestamp": "2026-04-17T04:00:00.000000Z"}, {"uuid": "ea57d5ac-51a7-44ed-b926-4e91ee7d69af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "ghsa-xq3m-2v4x-88gg", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mjwqbk2ru32v", "content": "", "creation_timestamp": "2026-04-20T15:00:26.485105Z"}, {"uuid": "f8d34c2d-d30f-4f54-b03b-4ee741f3c913", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XQ3M-2V4X-88GG", "type": "published-proof-of-concept", "source": "Telegram/x12vbbUj9eUCE8CmwEAAyNGNC_B8MsPtTe6lQq2voLeHmZk", "content": "", "creation_timestamp": "2026-04-18T19:15:08.000000Z"}, {"uuid": "efeee332-e1eb-4518-862d-c86bdd9f0623", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XQ3M-2V4X-88GG", "type": "published-proof-of-concept", "source": "Telegram/FKYnF9b6jOQztogaME2Ub2uqb7DVqD6polRIMPyeJFMfQJw", "content": "", "creation_timestamp": "2026-04-18T19:00:12.000000Z"}, {"uuid": "bc70878e-3fcc-4fe1-8a95-ed0d24b64c10", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XQ3M-2V4X-88GG", "type": "seen", "source": "https://gist.github.com/alon710/f442847fd0d81ee05bc55bd2cc39ff9c", "content": "# GHSA-XQ3M-2V4X-88GG: CVE-2026-41242: Remote Code Execution via Dynamic Code Generation in protobufjs\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-04-16\n> **Full Report:** https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG\n\n## Summary\nCVE-2026-41242 is a critical code injection vulnerability in protobufjs. The library compiles custom serialization functions at runtime using the `Function` constructor. Prior to versions 7.5.5 and 8.0.1, dynamic type names were not sanitized, allowing an attacker to inject arbitrary JavaScript via crafted schema definitions, leading to remote code execution.\n\n## TL;DR\nUnsanitized type names in protobufjs schemas allow attackers to inject and execute arbitrary JavaScript during dynamic code compilation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.8\n- **EPSS Score**: 0.00026\n- **Exploit Status**: PoC\n- **CISA KEV Status**: Not Listed\n- **Impact**: Unauthenticated Remote Code Execution\n\n## Affected Systems\n\n- Node.js applications using protobufjs prior to 7.5.5\n- Node.js applications using protobufjs 8.0.0-experimental\n- **protobufjs**: < 7.5.5 (Fixed in: `7.5.5`)\n- **protobufjs**: >= 8.0.0-experimental < 8.0.1 (Fixed in: `8.0.1`)\n\n## Mitigation\n\n- Upgrade protobufjs to version 7.5.5, 8.0.1 or higher.\n- Apply a runtime monkey patch to sanitize inputs if immediate upgrading is impossible.\n- Block untrusted clients from uploading or modifying protobuf schemas.\n- Utilize WAF rules to detect schema payloads containing JavaScript control characters.\n\n**Remediation Steps:**\n1. Identify all internal services and dependencies using protobufjs.\n2. Update package.json and lockfiles to require protobufjs >= 7.5.5 or >= 8.0.1.\n3. Run npm audit or yarn audit to verify that no vulnerable versions remain in the dependency tree.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Advisory: Remote Code Execution in protobufjs](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg)\n- [Fix Commit (Mainline)](https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75)\n- [Fix Commit (Secondary)](https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956)\n- [Exploit Proof-of-Concept Repository](https://github.com/4chech/CVE-2026-41242)\n- [NVD - CVE-2026-41242](https://nvd.nist.gov/vuln/detail/CVE-2026-41242)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-41242)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-XQ3M-2V4X-88GG) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T11:02:14.000000Z"}]}