CVE-2026-41242: Remote Code Execution via Code Injection in protobufjs

The protobufjs library is a widely adopted Node.js package that provides protocol buffer serialization and deserialization capabilities. Many modern architectures rely on protocol buffers for efficient inter-service communication and data storage. The library handles parsing .proto files and JSON descriptor objects to construct message schemas dynamically at runtime.

CVE-2026-41242 is a critical Improper Control of Generation of Code vulnerability (CWE-94) located within the schema processing logic of the package. The flaw manifests when the library dynamically generates encoding and decoding routines to optimize processing performance. This optimization technique relies on Just-In-Time (JIT) compilation of JavaScript strings.

An attacker who can control the schema definition processed by the application can inject arbitrary JavaScript into these generated routines. Execution of this injected code occurs within the context of the running Node.js process. This results in complete system compromise if the node process runs with sufficient privileges.

To achieve high throughput, protobufjs constructs specialized encoding and decoding functions on the fly for each processed schema. The library concatenates static JavaScript code templates with dynamic variables derived from the parsed schema. These concatenated strings are subsequently instantiated into executable routines using the JavaScript new Function() constructor.

The vulnerability stems from an absolute lack of input sanitization during this string concatenation phase. The library directly interpolates metadata properties extracted from the user-supplied schema into the executable code string. Specifically, the type and name properties of a nested schema type are placed into the code without escaping or validation.

When the JavaScript runtime attempts to compile the output of the new Function() constructor, it parses the entire string as code. An attacker can construct a schema where the name property contains characters that break out of the intended string or variable context. By inserting characters such as closing parentheses, semicolons, and curly braces, the attacker defines new lexical boundaries and inserts arbitrary executable statements.

The vulnerability was addressed by introducing a rigorous sanitization step within the type instantiation logic. Maintainers released patch commits, specifically 535df444ac060243722ac5d672db205e5c531d75 for the main branch and ff7b2afef8754837cc6dc64c864cd111ab477956 for the 7.x release line.

The core fix resides in src/type.js. The vulnerable implementation accepted the name parameter directly from the parsed descriptor and passed it unmodified into the namespace constructor. The patched version applies a strict regular expression filter to strip any non-alphanumeric characters.

// src/type.js - Patched Implementation
function Type(name, options) {
+   // Strips non-alphanumeric/underscore characters to prevent syntax breakout
+   name = name.replace(/\W/g, ""); 
    Namespace.call(this, name, options);
// ...

This mitigation forces the name string to conform strictly to valid JavaScript identifier constraints. Any structural characters required for an injection attack are silently removed before the string reaches the new Function() sink. The following diagram illustrates the patched execution flow.

Exploiting CVE-2026-41242 requires the attacker to supply a malicious Protobuf descriptor to a vulnerable application endpoint. The attack sequence typically begins with the application invoking protobuf.Root.fromJSON() or parsing an equivalent .proto file containing untrusted input. The exploit payload targets the namespace identifier structure.

The provided proof-of-concept payload defines a nested type with an extensively crafted string as its key. The string ExploitType; (function(){ console.log('RCE_EXECUTED'); require('child_process').execSync('touch /tmp/pwned'); })(); // serves as the malicious name property. When the library evaluates this schema, the compilation process maps this key directly into the uncompiled source text.

const maliciousDescriptor = {
  nested: {
    "ExploitType; (function(){ require('child_process').execSync('touch /tmp/pwned'); })(); //": {
      fields: { someField: { type: "string", id: 1 } }
    }
  }
};

The initial ExploitType; terminates the preceding logical statement inside the dynamically generated function. The subsequent immediately invoked function expression contains the arbitrary commands, executed instantly upon compilation. The trailing // neutralizes any trailing code appended by the template, preventing syntax errors that would halt execution.

Successful exploitation of CVE-2026-41242 yields unauthenticated Remote Code Execution (RCE). The injected JavaScript commands inherit the execution context and permissions of the hosting Node.js application. This access level permits the execution of arbitrary system commands, direct interaction with the underlying filesystem, and access to process environment variables.

The primary attack vector involves network services that accept dynamic schema definitions. Multi-tenant environments, plugin architectures, and systems processing serialized data from untrusted repositories represent the highest risk profiles. Applications statically loading trusted schemas at startup remain vulnerable only if an attacker compromises the schema repository.

The vulnerability possesses a CVSS v4 score of 9.4, reflecting its minimal attack complexity and severe impact metrics. The public availability of functional exploit repositories elevates the probability of widespread scanning and exploitation attempts targeting internet-facing Node.js services.

The fundamental remediation strategy requires updating the protobufjs dependency to a secured version. Organizations must upgrade to version 7.5.5 or 8.0.1 immediately. Dependency trees should be audited using package management tools to identify transitive dependencies relying on vulnerable versions of the library.

Applications must enforce strict boundary validation for all external inputs. Protobuf definitions and JSON descriptors must not be loaded from untrusted network sources or unauthenticated users. If dynamic schema loading is a rigid business requirement, implement strict schema structure validation before passing the data to the protobufjs parser.

Employing defense-in-depth measures limits the blast radius of a successful exploit. Execute Node.js processes with least-privilege service accounts to restrict filesystem and network access. Implement system-level sandboxing, such as seccomp profiles or restricted container capabilities, to prevent child process execution.