Description
protobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.
Recommendation
Update the protobufjs package to the latest compatible version. Followings are version details:
Affected version(s): **< 7.5.5 >= 8.0.0, < 8.0.1** Patched version(s): **7.5.5 8.0.1**
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content - CVE-2026-0969
- Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
- OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment - CVE-2026-41900
You might also like:
- Tags:
- npm
- protobufjs
Anything's wrong? Let us know Last updated on May 04, 2026