protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Score CVSS v3.1
9.8
/ 10.0
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Informations
- Publié
- 18 avr. 2026
- Mis à jour
- 23 avr. 2026
- Statut
- Analyzed
- Source
- security-advisories@github.com
Produits affectés
protobufjs project protobufjs
Versions : 7.5.5, 8.0.0
Faiblesses (CWE)
CWE-94
Références (5)
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88ggExploitVendor Advisory
CVEs similaires
Autres vulnérabilités de type CWE-94
Loading…
Surveillez vos produits
Recevez une alerte automatique à chaque nouvelle CVE affectant vos équipements.