protobuf.js CVE-2026-41242: Critical Code Injection Vulnerability
Security Analysis · June 13, 2026

CVE-2026-41242: Critical protobuf.js Code Injection
CVSS 9.8 — Exploit, Impact, and Full Patch Guide

A critical code injection vulnerability in protobuf.js allows attackers to execute arbitrary code on Node.js servers by crafting malicious protobuf definitions. With 52 million weekly npm downloads and a chain of 5 follow-up CVEs, this is one of 2026's most significant npm supply-chain security incidents.

Oleg Maximov June 13, 2026 14 min read

⚠ CRITICAL — Immediate action required

If your application uses protobufjs version 7.5.4 or earlier, or 8.0.0, your server is vulnerable to remote code execution via malicious protobuf definitions. Update to 7.5.6+ / 8.0.2+ immediately. Applications that load .proto files or JSON descriptors from external sources are at the highest risk.

TL;DR — What happened

Vulnerability Overview

On April 17, 2026, the protobuf.js maintainers disclosed CVE-2026-41242, a critical code injection vulnerability in one of npm's most depended-upon packages. protobuf.js is the JavaScript runtime for Protocol Buffers — Google's language-neutral serialization format — used by ~52 million npm installations per week.

The vulnerability was assigned a CVSS 3.1 score of 9.8 (CRITICAL) by NVD, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-based, low complexity, no privileges required, no user interaction, full compromise of confidentiality, integrity, and availability. GitHub Security Advisories scored it 8.7 (HIGH) under CVSS 4.0, citing LOW privilege requirements.

Discovered by security researchers cristianstaicu, alexander-fenster, and sofisl, the vulnerability was classified as CWE-94 (Improper Control of Generation of Code — 'Code Injection'). It was tracked via GHSA-xq3m-2v4x-88gg.

Why it matters: protobuf.js is a foundational piece of the npm ecosystem. It's a transitive dependency of Google Cloud client libraries, the Firebase SDK, gRPC-web, and thousands of other packages. Any application that consumes .proto files or JSON descriptors from untrusted sources is at direct risk of server compromise.

Technical Root Cause

protobuf.js compiles Protocol Buffer definitions (.proto files or JSON descriptors) into JavaScript code at runtime. When you define a message type, protobuf.js generates encode, decode, and toObject functions by embedding type names directly into generated JavaScript strings.

The vulnerability is remarkably simple in retrospect: type names were interpolated into generated code without sanitization. A type name containing characters like backticks, parentheses, or quotes could break out of the string literal context and inject arbitrary JavaScript into the generated function. 

// Simplified: how the exploit works
// protobufjs generates code like this:
function encode(message, writer) {
  // Type name is interpolated directly:
  var TypeName = "` + ATTACKER_CONTROLLED + `";
  // ...
}

// With a malicious type name containing:
// ` + process.mainModule.require('child_process').execSync('id') + `
// The generated code becomes:
var TypeName = "` + process.mainModule.require('child_process').execSync('id') + `";
// Which JS evaluates as string concatenation — executing the command!

The Fix: One Line

The fix (PR #2127) is a single line added to the Type constructor in src/type.js: 

// Before (vulnerable):
// Type names were used as-is in generated code

// After (patched in 7.5.5 / 8.0.1):
name = name.replace(/\W/g, "");

This regex filters out all non-word characters (anything that is not alphanumeric or underscore) from type names. The commit message explains: "There is no reason why the type name would contain anything other than alphanumeric characters. Filter the remaining characters with a regex."

Prototype Pollution Vector

A second fix (PR #2126) addressed a related attack vector: prototype pollution via the Message constructor. When a properties object was passed to the constructor, __proto__ was copied as a regular property, allowing attackers to pollute Object.prototype: 

// Prototype pollution via Message constructor:
const properties = JSON.parse('{"__proto__": {"polluted": "yes"}}');
const message = new protobuf.Message(properties);
// message.__proto__.polluted === "yes"
// Object.prototype is now polluted — affects all objects!

// The fix filters out __proto__ when iterating properties:
// if (key === "__proto__") continue;

The Attack Chain

The full exploit chain for CVE-2026-41242 follows this path:

  1. Crafted input: An attacker provides a malicious .proto file or JSON descriptor containing type names with JavaScript injection payloads
  2. Compilation: protobuf.js compiles the definition, embedding the malicious type name unsanitized into generated JavaScript code
  3. Generated function: The generated encode/decode function contains the attacker's JavaScript code in a string concatenation chain
  4. Trigger: When any code calls the generated function (encode, decode, toObject, or verify), the injected JavaScript executes
  5. Full compromise: The attacker gains arbitrary code execution in the Node.js process, typically deploying a web shell, exfiltrating data, or establishing persistence

Key insight: The vulnerability is in the code generation phase, not in input parsing. Simply loading a malicious .proto file is enough to trigger the injection — you don't need to encode or decode any actual messages. The injection happens at the moment protobuf.js compiles the definition into JavaScript.

Affected Versions

Initial CVE-2026-41242

Branch Affected Patched Date
7.x <=7.5.4 7.5.5 Apr 17, 2026
8.x ==8.0.0 8.0.1 Mar 11, 2026

Full Vulnerability Chain (6 CVEs)

The initial fix in 7.5.5 and 8.0.1 was incomplete. Over the following two months, the maintainers disclosed 5 additional CVEs — including code injection bypasses, prototype pollution chains, and CLI-specific vulnerabilities:

CVE ID Type CVSS Package Description
CVE-2026-41242 RCE 9.8 protobufjs Code injection through malicious type names in protobuf definitions
CVE-2026-44293 RCE 7.7 protobufjs Code injection through bytes field defaults in generated toObject code
CVE-2026-44291 RCE 8.1 protobufjs Code generation gadget after prototype pollution — attacker-controlled type lookup
CVE-2026-44295 RCE 8.7 protobufjs-cli Code injection in pbjs static output from crafted schema names
CVE-2026-54271 RCE 8.2 protobufjs-cli Bypass of CVE-2026-44295 — JSON descriptor input still produced unsafe references
CVE-2026-54269 DoS 5.3 protobufjs Schema names like `valueOf`, `rpcImpl` collide with runtime helpers

Real-World Impact

protobuf.js is one of the most widely used packages on npm with approximately 52 million weekly downloads. It is a transitive dependency of:

The critical risk profile applies to applications that load protobuf definitions from untrusted sources — for example, a service that accepts user-uploaded .proto files, or an API gateway that processes external JSON descriptors. Even if your application only uses hardcoded .proto files, a supply-chain attack that modifies those files would achieve server compromise.

Fix and Patch Guide

1. Update protobufjs Immediately

Upgrade to the latest secure versions:

# Check your current version
npm ls protobufjs

# Update to the latest secure version
npm install protobufjs@latest

# Or update specific versions:
# For 7.x users (recommended: jump to latest)
npm install [email protected]

# For 8.x users
npm install [email protected]

2. Update protobufjs-cli (if used)

# If you use pbjs or pbts in your build pipeline
npm install protobufjs-cli@latest
# Minimum: 1.3.2 (1.x) or 2.5.0 (2.x)
# Latest: 2.5.4

3. Check for Transitive Dependencies

protobuf.js is commonly a transitive dependency. Check if any of your dependencies still pin a vulnerable version:

# Find all protobufjs versions in your dependency tree
npm ls protobufjs

# Check for transitive protobufjs-cli
npm ls protobufjs-cli

# Force resolution if a transitive dep is pinned
npm install [email protected] --save-dev
# Or use overrides in package.json:
// "overrides": {
//   "protobufjs": "7.6.4"
// }

4. Verify the Fix

# Confirm the version
npm ls protobufjs
# Expected: 7.6.4 or 8.6.3 (or higher)

# For protobufjs-cli
npm ls protobufjs-cli
# Expected: 2.5.4 or higher

Workarounds (If You Cannot Patch)

If an immediate upgrade is not possible (e.g., due to compatibility constraints):

⚠ Workarounds are temporary

These mitigations reduce risk but do not eliminate it. The only complete fix is upgrading to a patched protobufjs version. Attackers only need one way in — a lone unpatched service, a forgotten transitive dependency, or a single .proto file from an external source can lead to full server compromise.

Complete Timeline

Date Event
Mar 7, 2026 PR #2126 opened — __proto__ filter in Message constructor
Mar 11, 2026 PR #2127 opened — type name sanitization (/\W/g filter); v8.0.1 released
Apr 15, 2026 Fix cherry-picked to 7.x branch (commit ff7b2af)
Apr 17, 2026 v7.5.5 released — patches CVE-2026-41242 on 7.x
Apr 27–28, 2026 v7.5.6 and v8.0.2 released — follow-up security fixes (CVE-2026-44291, CVE-2026-44293)
May 12, 2026 5 advisories published: CVE-2026-44291/293/295 + CLI advisories
Jun 9–10, 2026 v7.6.3 / v8.6.2 / v8.6.3 released — CVE-2026-54269 fix and bug fixes
Jun 13, 2026 Latest releases: v7.6.4, v8.6.3

Lessons for the Industry

The protobuf.js vulnerability chain offers several important takeaways:

FAQ

What is CVE-2026-41242?
CVE-2026-41242 is a critical (CVSS 9.8) code injection vulnerability in protobuf.js. It allows an attacker to execute arbitrary JavaScript code on a server by providing a crafted protobuf definition with malicious type names. When protobuf.js compiles the definition into JavaScript, the unsanitized type names are embedded directly into generated code, enabling code execution.
Which protobuf.js versions are affected?
protobuf.js versions 7.x up to 7.5.4 and version 8.0.0 are affected by CVE-2026-41242. The initial fix was released in 7.5.5 (April 17) and 8.0.1 (March 11). Due to follow-up CVEs that bypassed the initial fix, the latest secure versions are 7.6.4 and 8.6.3 as of June 2026.
How does the protobuf.js exploit work?
The exploit embeds malicious JavaScript code in a protobuf type name. When protobuf.js compiles the definition, the type name is interpolated directly into generated code without sanitization. A crafted type name containing characters like backticks or parentheses can break out of the string context and execute arbitrary code when the generated function is called.
What is the CVSS score?
NVD assigns a CVSS 3.1 score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. GitHub Security Advisories assigns a CVSS 4.0 score of 8.7 (HIGH). The difference is due to GitHub requiring LOW privileges while NVD treats it as requiring NO privileges.
Was prototype pollution also addressed?
Yes. PR #2126 added a __proto__ filter in the Message constructor. Before the fix, passing a crafted JSON object with a __proto__ key would pollute Object.prototype. This was exploited in CVE-2026-44291 (code generation gadget after prototype pollution, CVSS 8.1), where a polluted prototype could cause protobufjs to resolve attacker-controlled properties as valid type info.
Which packages depend on protobuf.js?
protobuf.js has approximately 52M weekly npm downloads. It is used by Google Cloud client libraries, Firebase SDK, gRPC-web, TensorFlow.js, Apache Cassandra driver, and thousands of other npm packages. If your Node.js application communicates with any Google Cloud service, it almost certainly has protobufjs as a transitive dependency.
How do I fix CVE-2026-41242?
Update protobufjs to >=7.5.6 (7.x) or >=8.0.2 (8.x). The latest versions are 7.6.4 and 8.6.3. Also update protobufjs-cli to >=1.3.2 (1.x) or >=2.5.0 (2.x) if you use pbjs/pbts. Run 'npm audit fix' or manually update your package.json. Check your transitive dependency tree with 'npm ls protobufjs' — not all vulnerable installations are direct dependencies.

Summary

CVE-2026-41242 is one of the most significant npm supply-chain security incidents of 2026. A CVSS 9.8 code injection vulnerability in protobuf.js — a package with 52 million weekly downloads — demonstrates how a single unsanitized string interpolation can compromise thousands of applications.

The vulnerability was exacerbated by the chain of 5 follow-up CVEs that bypassed the initial fix, highlighting the importance of comprehensive security reviews over minimal reproducer patches. The protobuf.js maintainers have now fully addressed all known vectors, and the latest versions (7.6.4 and 8.6.3) are secure.

For developers, the key takeaway is clear: protobuf definitions loaded from external sources are a critical attack surface. Even if you only use hardcoded .proto files, your transitive dependency graph may be vulnerable. Run npm audit, check your dependency tree, and update to the latest protobufjs versions today.

Contact

Need help securing your web application?

I build production applications with modern tools — React, Next.js, Node.js, and TypeScript — with security as a core concern. Let's discuss your project.

[email protected] +375 44 568 20 48