Critical Remote Code Execution Vulnerability Discovered in Protobuf.js Library

Protobuf.js, a popular JavaScript implementation of Google's Protocol Buffers with over 50 million weekly downloads, contains a critical remote code execution vulnerability. The flaw allows attackers to run arbitrary code on servers and developer machines. 

The vulnerability is tracked as CVE-2026-41242 (CVSS score 9.4) - a remote code execution vulnerability in the protobuf.js library that stems from unsafe dynamic code generation during schema compilation. The library builds JavaScript functions by concatenating schema-derived identifiers into the Function() constructor without validation, allowing attackers to inject arbitrary code via malicious message type names. This flaw is triggered the first time an application decodes or encodes a message using the poisoned schema, leading to full system compromise.

Successful exploitation grants attackers full control over the running Node.js process, allowing them to pivot into internal networks exposing environment variables, service tokens and API credentials, database connection strings and in-memory user data

The vulnerability affects protobufjs versions 8.0.0 and lower, as well as 7.5.4 and lower. Because this library is a core component for gRPC and cloud communications, it is often pulled in as a transitive dependency. Affected downstream packages include @grpc/proto-loader, Firebase SDKs, and Google Cloud client libraries.

Organizations should upgrade to protobufjs version 8.0.1 or 7.5.5 asap. Security teams should also audit transitive dependencies using tools like npm audit or reachability analysis. 

For long-term protection, developers should treat all schema-loading as untrusted input and prefer using precompiled static schemas in production environments.