CVE-2026-41242

Sažetak

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Reference

https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

20-04-2026 - 19:03

Objavljeno

18-04-2026 - 17:16