A critical-severity remote code execution (RCE) vulnerability tracked as CVE-2026-41242 and GHSA-xq3m-2v4x-88gg has been disclosed in protobuf.js, the most widely used JavaScript implementation of Google’s Protocol Buffers, threatening over 220 million monthly npm downloads and placing millions of cloud-native applications at immediate risk.
Researchers at Endor Labs published a technical report on April 16, 2026, confirming that the flaw carries a CVSS v4 base score of 9.4 (Critical), with a CVSS vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.
The Vulnerability affects all versions of protobufjs up to and including 8.0.0 and 7.5.4, and has been patched in the newly released versions 8.0.1 and 7.5.5.
protobuf.js Vulnerability
protobuf.js is the de facto JavaScript runtime for Protocol Buffers (protobuf), the binary data serialization format developed by Google and used across virtually every modern cloud platform.
The library is downloaded roughly 52 million times per week on npm and powers communication layers in applications built on Google Cloud, Firebase, gRPC, and most cloud-native stacks.
Because protobuf.js is often pulled in as a transitive dependency embedded silently inside libraries like @grpc/proto-loader In many development teams, Firebase SDKs are shipped without even knowing they are present in their environment.
Unsafe Dynamic Code Generation
The root cause of CVE-2026-41242 lies in how protobuf.js handles schema compilation. When processing a protobuf definition file, the library dynamically assembles JavaScript function source strings for every message type and passes them to the Function() A constructor is a practice functionally equivalent to eval() for performance reasons.
This design pattern enables faster decoding of binary messages at runtime, but it creates a direct injection vector: if an attacker can control the content of a protobuf definition file, they can embed arbitrary JavaScript in the type field of a message definition, which will then execute during normal object decoding.
According to the GitHub Security Advisory, the attack specifically targets the type fields of protobuf definitions, where malicious actors can inject JavaScript expressions that get assembled into the dynamically compiled function body and subsequently executed.
Critically, the exploit is triggered on the production decode path, meaning a routine API call from a regular user can detonate the malicious payload if the server’s schema has been poisoned.
Proof-of-Concept Exploit Publicly Released
A working proof-of-concept (PoC) exploit has been publicly released alongside the advisory, dramatically lowering the bar for exploitation.
The PoC demonstrates that loading a crafted JSON-based protobuf descriptor containing injected JavaScript in the type name field and then calling .decode() on a completely benign binary buffer is sufficient to trigger arbitrary OS command execution, including spawning child processes via Node.js’s child_process module.
The advisory’s minimal PoC shows the payload executing id (a Unix identity command) Upon object decode, confirm full command execution on the underlying operating system.
In a real-world attack, this translates to data exfiltration, ransomware deployment, cryptominer installation, lateral movement, or complete infrastructure takeover, all triggered via standard application traffic.
CVSS v4 Scoring and Severity Breakdown
The Vulnerability scores 9.4 Critical under CVSS v4, reflecting its extreme exploitability and impact profile:
- Attack Vector: Network – exploitable remotely without physical access
- Attack Complexity: Low – no specialized conditions required
- Attack Requirements: None – no race condition or special configuration needed
- Privileges Required: Low – only basic user-level access to submit input
- User Interaction: None – no victim interaction required to trigger execution
- Confidentiality / Integrity / Availability Impact: High across both vulnerable and subsequent systems
The subsequent system impact metrics also rate High across all three pillars, indicating that a successful compromise can cascade beyond the initially targeted host into interconnected infrastructure.
Affected Versions and Patches
| Branch | Vulnerable Versions | Patched Version |
|---|---|---|
| v8.x | ≤ 8.0.0 | 8.0.1 |
| v7.x | ≤ 7.5.4 | 7.5.5 |
The fix applies strict alphanumeric filtering to protobuf type names during the code generation phase, stripping all non-word characters, parentheses, braces, semicolons, quotes, and whitespace before they can reach the Function() constructor.
The commit notes that there is no legitimate reason for a protobuf type name to contain characters outside the [A-Za-z0-9_] set.
Mitigation and Recommended
Security teams should treat this Vulnerability as a critical-priority patch:
- Upgrade immediately using
npm install protobufjs@^8.0.1ornpm install protobufjs@^7.5.5 - Audit transitive dependencies with
npm ls protobufjsto surface hidden pulls through@grpc/proto-loader, Firebase, or Google Cloud SDKs - Treat schema-loading as untrusted input
Root.fromJSON,load, andparseon user-controlled bytes are equivalent toeval()on untrusted data - Prefer precompiled static artifacts in production using
pbjsandpbtsto emit static, auditable code that doesn’t require runtime compilation - Integrate Software Composition Analysis (SCA) tools into CI/CD pipelines to flag vulnerable dependency versions before they reach production
Organizations should also note that GitLab’s Advisory Database rates this Vulnerability at 9.9 Critical, reflecting the potential for downstream impact through package reuse. This disclosure comes amid a surge in npm supply chain attacks.
The protobuf.js Vulnerability is particularly dangerous because it doesn’t require a compromised package registry; an attacker only needs to control or manipulate the schema definition files consumed at runtime, which are often sourced dynamically from external APIs, microservices, or user-controlled storage buckets.
Endor Labs researchers warn that this is part of a broader pattern where legitimate developer tools become code-execution primitives when fed hostile input, urging teams to treat .proto files and schema-loading endpoints with the same security rigor applied to executable binaries.
FAQ
Q1: What is CVE-2026-41242 in protobuf.js?
It is a critical RCE vulnerability (CVSS 9.4) in protobuf.js, where attackers can inject arbitrary JavaScript into protobuf type fields to execute code during object decoding.
Q2: Which versions of protobuf.js are affected by GHSA-xq3m-2v4x-88gg?
All versions of protobufjs at or below 8.0.0 and 7.5.4 are vulnerable; patched versions are 8.0.1 and 7.5.5.
Q3: How can I check if my project is affected by the protobuf.js Vulnerability?
Run npm ls protobufjs in your project directory to detect both direct and transitive uses of the vulnerable library.
Q4: Is there a public exploit available for the protobuf.js RCE vulnerability?
Yes, a working proof-of-concept has been publicly released, making immediate patching critical for all affected environments.
Site: thecybrdef.com
About the Author
