protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
CVSS v3.1 Score
9.8
/ 10.0
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Information
- Published
- 18 avr. 2026
- Updated
- 23 avr. 2026
- Status
- Analyzed
- Source
- security-advisories@github.com
Affected products
protobufjs project protobufjs
Versions : 7.5.5, 8.0.0
Weaknesses (CWE)
CWE-94
References (5)
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1ProductRelease Notes
- https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88ggExploitVendor Advisory
Similar CVEs
Other vulnerabilities of type CWE-94
Loading…
Monitor your products
Get automatic alerts for every new CVE affecting your equipment.