Alerts

Critical Vulnerability in protobuf.js

21 April 2026

A critical vulnerability has been identified in protobuf.js, a JavaScript implementation of Google’s Protocol Buffers. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

A critical vulnerability (CVE-2026-41242) has been identified in protobuf.js, a JavaScript implementation of Google’s Protocol Buffers. It is used to help different online services communicate with each other, power real-time applications like messaging or gaming, and efficiently store organised information in databases and cloud systems.

Impact

An attacker can supply a malicious protobuf schema, specifically in the "type" fields of protobuf definitions. This allows the injection of arbitrary code via the Function() constructor, which is executed when the application processes a message using that schema. Successful exploitation of this vulnerability could allow an attacker to load attacker-influenced schemas, granting access to environment variables, credentials, databases, and internal systems, and even allowing lateral movement within the infrastructure.

Affected Products

The vulnerability affects the following product versions.

Protobuf.js versions prior to 8.0.1

Protobuf.js versions prior to 7.5.5

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

https://nvd.nist.gov/vuln/detail/CVE-2026-41242

https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerability in protobuf.js

Reach us